What are people out there using to make sense of their iptables logs?
Varients of grep are not acceptable answers :)
I'm looking for fancy sql/php solutions. All I can seem to find is FirewallEye, which I can't seem to filter my /var/log/messages properly with, or another package 'iptables log analyser' which seems to be a fairly stagnent project (again I'm having difficulty getting this to work due to mysql backward compatability issues).
November 29th, 2004, 11:46 PM
I think the reason there aren't many projects is due to the fact that other systems do equally well but do it better. Snort can do pretty well everything a firewall's logger could do, and it does it faster and integrates well with different databases, and there's a few different front-end/log viewers for it. The following URL has more info for the curious: http://www.snort.org/dl/contrib/data_analysis/
At any rate, if you write your own netfilter rulesyou really shouldn't be cringing at grep. I'd encourage you to pick up some Perl and use it to extract the info you need into exactly the format you need. Sysadmin scripting is really Perl's forte IMO.
If you absolutely MUST use one of these fancy GUIs, I've only tried one -- FwLogView, and it was only to toy with, but it seemed to do the trick.
November 30th, 2004, 12:31 AM
I'm familiar with acid/base and another one or two front ends that escapes my memory. But I'm eager to have the iptables logs to study as I need to keep my snort rules quite tight and narrow in this instance for a couple of reasons.
I've never bothered learning perl to be honest, but it sounds like it could be the right time.
And don't get me wrong I'm not trying to say grep is invaluable at all, I know very well it isn't. But its interesting to note that if you search the securityfocus.com tool archives looking for iptables utilities you'll find 3 pages of tools that will quite happily make rule-sets for you, but not much in the way of log analysis. Its a luxury provided to (all?) commercial firewalls afaik, so why not iptables users? Myself I'm all about working smarter and not harder, so if I can point and click some info I'm quite happy to do that as opposed to pipe commands for a laugh :)