best iptables log analyzer

Pacifiste95 · 07-14-2011, 02:12 PM

Hello all,

i want to view my iptables log on web interface, with chart (in option, but this is not my priority).

What is the best program for this?

Thanks !

Noway2 · 07-15-2011, 04:22 AM

I am not aware of any iptables log viewing applications as such. It is possible that one of the firewall GUI front ends or server administration packages offer this feature, but again I don't use those either. I do periodically look at the iptables (blocked) log and occasionally search it for specific hosts in question, but that is about it. One of the problems with trying to graph the information on such a log is that it would likely contain a lot of near random data as the IP addresses and ports will change continuously. You may notice trends in time, such as a rise in popularity of attempting access on a particular port, but this is information you can find on many a good security information sites.

Instead of trying to track your iptables logs, a better approach might be to use a program like Snort, which actually looks at the traffic and categorizes it against known threat profiles. The PHP tool called Base, will then give you reports, graphs, and charts allowing you ways to analyze the threats and most importantly, repeat offenders.

salasi · 07-15-2011, 06:52 AM

There is another thread on this subject here. Unfortunately, it is an ancient thread, so I don't know how much use any of the information would be now.

Actually, I did a search in a well-known search engine (search terms: iptables log analysis tool), and a lot of the first page of hits were also ancient, so i don't really know what that means. Maybe, there was more interest in this subject five years ago.

@Noway2

Quote:

It is possible that one of the firewall GUI front ends or server administration packages offer this feature, but again I don't use those either.

I'd thought that I'd heard of something similar, but I don't use a GUI front end, so I didn't pay it much attention. There is a description here of firestarter which may be what i was thinking of, but I can't really remember.

In any case, it seems that what you are asking for could be dealt with by a bit of shell scripting and, say, filtering a log by how many accesses there are from each IP, or something. But, as with Noway2 I'd have to ask how exactly this will help with anything that's important. I mean, everyone gets noise in their log file, but you really want to sort the dangerous stuff from the noise. Does knowing which IP accesses are coming from help you do that?