iptables log analysis
David A. Bandel
david
Mon May 17 11:37:58 PDT 2004
On Fri, 20 Sep 2002 20:04:49 +0800
begin "m.w.chang" <mwchang at netvigator.com> spewed forth:
> I just need example to get started. my perl is really weak despite of my
> agiility in foxpro and c.
>
> Sep 20 19:51:44 server kernel: iptables IN=ppp0 OUT= MAC=
> SRC=64.4.13.202 DST=218.102.112.235 LEN=40 TOS=0x00 PREC=0x00 TTL=119
> ID=17967 PROTO=TCP SPT=1863 DPT=3018 WINDOW=16821 RES=0x00 ACK FIN RGP=0
>
> that's one sample entry. I will proces the line with "DPT=" and then
> plot number of hits vs port number. that's more useful and interesting
> than browing the whole log file.
>
>
> >> # chkhit /var/log/messages
> >> port,hits
> >> 25,10
> >> 139,1
> >> 6112,20
> >> #
> > I have a few that probably just need modification for your purposes.
Personally, I'd use cut, sort, wc, grep, and a few others to get it where
I wanted it. I'd also do it by date -- i.e., yesterday's date. You could
set it up as a cron job and mail it to yourself every morning. The above
is fairly easy with standard UNIX tools. Perl will also do the job for
you, in fact, there's a few perl modules that may even help:
SyslogScan::ParseDate, SyslogScan::SyslogEntry, SyslogScan::Summary,
SyslogScan::UnsupportedEntry, and more.
Ciao,
David A. Bandel
--
Focus on the dream, not the competition.
-- Nemesis Racing Team motto
More information about the Linux-users
mailing list