search

Dj-Garfield / logstalgia

Automatically exported from code.google.com/p/logstalgia
0 stars 0 forks source link

Enhancment: iptables log #67

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
Thanks for a really awesome tool! :)

I've played around with Logstaligia for a few days and got it working with my 
firewall logs (iptables) by generating a modified log format thats accepted by 
Logstalgia.

It would be awesome if this was a builtin functionality in Logstalgia that a 
lot of people would appreciate.

Would this be a feature you would like to add?

Original issue reported on code.google.com by are@bifrozt.com on 30 Oct 2014 at 11:16

GoogleCodeExporter commented 8 years ago 
Hi,

I am kind of interested in adding support for this. As you say it looks like a 
lot of people are writing their own solutions to work around there not being 
built in support.

If someone could provide some logs (with appropriate redactions) that include a 
variety of different kind of entries it would need to handle that would be a 
big help.

Cheers

Andrew

Original comment by acaudw...@gmail.com on 31 Oct 2014 at 1:29

GoogleCodeExporter commented 8 years ago 
Hi Andrew,

Happy to hear you would be interested in doing this.

The way I've solved this is basically by using a few data sets from the 
firewall log
- time stamp
- log prefix (accept/drop)
- source ip
- destination ip
- destination port
to create a new log that's formatted somewhat similar to that of an access log.
The log new log is given to logstalgia with a few '-g' switches that will 
create two sections, one ALLOWED and one BLOCKED, to show what traffic was 
allowed/dropped.

I'll be more than happy to provide you with
- original logs (redacted)
- the script (python) I use to parse the original logs and explanation of how 
the script generates the new logs
- the logs generated by the script (redacted)
- the regex used with logstalgia to process the logs

If this is of interest to you, I'll try getting it to you over the weekend.

//Are

Original comment by are@bifrozt.com on 31 Oct 2014 at 7:45

GoogleCodeExporter commented 8 years ago 
Hi Are,

That sounds great. I might not look into this immediately so whenever you have 
time.

Original comment by acaudw...@gmail.com on 31 Oct 2014 at 8:47

GoogleCodeExporter commented 8 years ago 
Hi Andrew,

Awesome! I'll try getting it to you by tomorrow evening or early Sunday.

Original comment by are@bifrozt.com on 31 Oct 2014 at 9:50