Location: PHPKode > projects > IPTables log analyzer > iptablelog/doc/faq.html
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>IPTables logs analyzer FAQ</title><meta name="generator" content="DocBook XSL Stylesheets V1.40"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="book" id="id2715645"><div class="titlepage"><div><h1 class="title"><a name="id2715645"></a>IPTables logs analyzer FAQ</h1></div><div><h3 class="author">Gerald GARCIA</h3></div><div><p class="copyright">Copyright © 2002 Gerald GARCIA</p></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt> <a href="#id2715368">Preface</a></dt><dt>1 <a href="#id2715784">General information</a></dt><dd><dl><dt> <a href="#id2715502">What is IPTables logs analyzer ?</a></dt><dt> <a href="#id2715594">How does IPTables logs analyzer work ?</a></dt><dt> <a href="#id2714922">Is there some screenshots availables ?</a></dt></dl></dd><dt>2 <a href="#id2714961">How to find, configure, install, and troubleshoot IPTables logs analyzer</a></dt><dd><dl><dt> <a href="#id2714975">Where can I get IPTables logs analyzer ?</a></dt><dt> <a href="#id2716868">How do I configure/compile IPTables logs analyzer ?</a></dt></dl></dd><dt>3 <a href="#id2717164">Customisation</a></dt><dd><dl><dt> <a href="#id2717185">How can I create my own stylesheet ?</a></dt><dt> <a href="#id2717216">How do I had personalized header/footer for generated tables ?</a></dt></dl></dd><dt>4 <a href="#id2717233">FAQ Contributions, Maintainers and Copyright</a></dt></dl></div><div id="id2715368" class="preface"><div class="titlepage"><div><h2 class="title"><a name="id2715368"></a>Preface</h2></div></div><p>This document gathers some frequently asked questions on IPTables logs analyzer</p></div><div class="chapter"><div class="titlepage"><div><h2 class="title"><a name="id2715784"></a>Chapter 1. General information</h2></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt> <a href="#id2715502">What is IPTables logs analyzer ?</a></dt><dt> <a href="#id2715594">How does IPTables logs analyzer work ?</a></dt><dt> <a href="#id2714922">Is there some screenshots availables ?</a></dt></dl></div><p> This chapter gathers general information about IPTables logs analyzer</p><div class="sect1"><a name="id2715502"></a><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2715502"></a>What is IPTables logs analyzer ?</h2></div></div><p>IPTables log analyzer displays Linux 2.4 iptables logs (rejected, accepted, and masqueraded packets) in a nice HTML page. The reports it produces are easy to read and understand, reducing the manual analysis time. They contain statistics on packets and links to more detailed information on a given host, port, or domain. 
      </p></div><div class="sect1"><a name="id2715594"></a><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2715594"></a>How does IPTables logs analyzer work ?</h2></div></div><p>The IPTable Log Analyzer is composed of two different and separate parts :</p><div class="itemizedlist"><ul><li style="list-style-type: opencircle"><p><a name="id2715770"></a>A database feeder : to read the log produced by iptable (generaly in /var/log/syslog) and store the packet in database
	  </p></li><li style="list-style-type: opencircle"><p><a name="id2715564"></a>A web interface : to provide different views of the database stored packets
	According to your network architecture, you can run directly the database feeder, the web interface and the database directly on the firewall,
	but you can chose to use existing hosts of your network as described bellow :	
      </p><div class="itemizedlist"><ul><li style="list-style-type: opencircle"><p><a name="id2714866"></a>On the firewall : the database feeder
	  </p></li><li style="list-style-type: opencircle"><p><a name="id2714871"></a>On a database host : MySql database
	  </p></li><li style="list-style-type: opencircle"><p><a name="id2714877"></a>On a web server : PHP script of the web interface
	The log analyzer is ready to receive data from different firewalls, so if your network is protected by several firewalls,
	you can run one database feeder on each firewall and gather information on a single database host.
      </p><div class="figure"><p><a name="id2714893"></a><b>Figure 1.1. Typical large installation</b></p><p><img src="schematic.png"></p></div><div class="figure"><p><a name="id2714908"></a><b>Figure 1.2. Typical single host installation</b></p><p><img src="schematic-single.png"></p></div></div><div class="sect1"><a name="id2714922"></a><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2714922"></a>Is there some screenshots availables ?</h2></div></div><div class="figure"><p><a name="id2714929"></a><b>Figure 1.3. Screenshot green theme</b></p><p><img src="screenshoot.png"></p></div><div class="figure"><p><a name="id2714944"></a><b>Figure 1.4. Screenshot blue theme</b></p><p><img src="screenshoot-blue.png"></p></div></div></div><div class="chapter"><div class="titlepage"><div><h2 class="title"><a name="id2714961"></a>Chapter 2. How to find, configure, install, and troubleshoot IPTables logs analyzer</h2></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt> <a href="#id2714975">Where can I get IPTables logs analyzer ?</a></dt><dt> <a href="#id2716868">How do I configure/compile IPTables logs analyzer ?</a></dt></dl></div><p> This chapter gathers install information about IPTables logs analyzer</p><div class="sect1"><a name="id2714975"></a><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2714975"></a>Where can I get IPTables logs analyzer ?</h2></div></div><p>
Two sources :
<div class="itemizedlist"><ul><li style="list-style-type: opencircle"><p><a name="id2716831"></a>
  Sourceforge based download at <a href="http://sourceforge.net/project/showfiles.php?group_id=63361" target="_top">http://sourceforge.net/project/showfiles.php?group_id=63361</a>
</p></li><li style="list-style-type: opencircle"><p><a name="id2716848"></a>
  gege.org website at <a href="http://www.gege.org/iptables" target="_top">http://www.gege.org/iptables</a> (main site but slow connection)
      </p></div><div class="sect1"><a name="id2716868"></a><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2716868"></a>How do I configure/compile IPTables logs analyzer ?</h2></div></div><div class="itemizedlist"><ul><li><p><a name="id2716879"></a>Creation of the database</p><div class="itemizedlist"><ul><li><p><a name="id2716890"></a>start the mysql client (with a user with rights to create databases, here root)</p><pre class="programlisting">&gt; mysql -u root -p</pre></li><li><p><a name="id2716904"></a>create the database (here called iptables)</p><pre class="programlisting">mysql&gt; create database iptables;</pre></li><li><p><a name="id2716917"></a>grant the mimimun rights to a user used to create the tables and fill the database
		(here the user iptables_admin will connect from localhost and with password xx)</p><pre class="programlisting">mysql&gt; grant create,select,insert on iptables.* to hide@address.com identified by 'xx';</pre></li><li><p><a name="id2716934"></a>grant select right to a user used by the php interface</p><pre class="programlisting">mysql&gt; grant select on iptables.* to hide@address.com identified by 'xx';
mysql&gt; grant create temporary tables  on iptables.* hide@address.com identified by 'xx';
	      </pre></li><li><p><a name="id2716951"></a>exit from the mysql client and fill the database with the contents 
		of the file sql/db.sql (in the distribution)</p><pre class="programlisting">&gt; cat db.sql | mysql -u iptables_admin -p iptables</pre></li></ul></div></li><li><p><a name="id2716969"></a>Add the correct LOG rule to netfilter rules</p><div class="itemizedlist"><ul><li><p><a name="id2716979"></a>a rule for logging shall be established for example (to be carefully adapted to your situation) :</p><pre class="programlisting">
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP] : '
iptables -A LOG_DROP -j DROP
</pre></li><li><p><a name="id2716997"></a>when you drop packets, you should replace DROP by LOG_DROP for example :</p><pre class="programlisting">
iptables -A INPUT -j LOG_DROP
</pre></li><li><p><a name="id2717011"></a>you should check that the following king of lines apprears in your logs (/var/log/syslog for example) :</p><pre class="programlisting">
Sep 24 21:33:56 nuage kernel: [IPTABLES DROP] : IN=ppp0 OUT= MAC= SRC= DST= LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=25302 DF PROTO=TCP SPT=3795 DPT=12345 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (0204058401010402)
</pre></li><li><p><a name="id2717030"></a>To specify more chains, just ajust the log-prefix option. In the previous example DROP chain is defined. </p><p>If you use --log-prefix '[IPTABLES ACCEPT] : ' all the packets logs by this rule will be display in ACCEPT chain.</p></li></ul></div></li><li><p><a name="id2717049"></a>Install the web interface</p><div class="itemizedlist"><ul><li><p><a name="id2717059"></a>Copy the files of the web directory of the directory under the document root of your web server</p><pre class="programlisting">cp -R web /var/www/iptables</pre></li><li><p><a name="id2717074"></a>Configure the config.php file according to your database settings (set correct values for user with select privilege to variables)</p></li></ul></div></li><li><p><a name="id2717087"></a>Install database feeder</p><div class="itemizedlist"><ul><li><p><a name="id2717097"></a>Configure the feed_db.pl script to your database settings (set corret values for the user with select and insert privileges to variables)</p></li><li><p><a name="id2717108"></a>Install the feed_db.pl script somewhere on your firewall (for example /usr/local/bin)</p></li><li><p><a name="id2717118"></a>Copy the init.d script called &quot;iptablelog&quot; in the /etc/init.d directory (if you want to start feeder automaticaly)</p></li><li><p><a name="id2717128"></a>Configure &quot;iptablelog&quot; script</p></li><li><p><a name="id2717137"></a>start the script as root (or any user that can read the iptables logs) by :</p><pre class="programlisting">/etc/init.d/iptablelog start</pre></li></ul></div></li></ul></div><p>Congratulations, you should be able to access to the index.php page where you have copied the web directory !</p></div></div><div class="chapter"><div class="titlepage"><div><h2 class="title"><a name="id2717164"></a>Chapter 3. Customisation</h2></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt> <a href="#id2717185">How can I create my own stylesheet ?</a></dt><dt> <a href="#id2717216">How do I had personalized header/footer for generated tables ?</a></dt></dl></div><p> This chapter gathers information about customisation of the application</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a name="id2717176"></a>Warning</h3><p>
Need to be updated for the current version
</p></div><div class="sect1"><a name="id2717185"></a><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2717185"></a>How can I create my own stylesheet ?</h2></div></div><p>Simply copy a existing style sheet (for the web/themes) directory. Then modify it and add it
	in the configuration file.
    </p><div class="example"><p><a name="id2717199"></a><b>Example 3.1. 
	Example of adding a new style in config file</b></p><pre class="programlisting">
$css_style_default=&quot;my style&quot;;

$css_styles[&quot;my style&quot;]=&quot;mystyle.css&quot;;
	</pre></div></div><div class="sect1"><a name="id2717216"></a><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2717216"></a>How do I had personalized header/footer for generated tables ?</h2></div></div><p>
	For the moment, there is no easy way to do this. The best way to add custom header
	and footer is to edit the elems.php.
    </p></div></div><div class="chapter"><div class="titlepage"><div><h2 class="title"><a name="id2717233"></a>Chapter 4. FAQ Contributions, Maintainers and Copyright</h2></div></div><p>
If you would like to make a contribution to the FAQ, send either one of us an e-mail message with the exact text you think should be included (question and answer). With your help, this document can grow and become more useful!
This document is maintained by Gerald GARCIA <tt>&lt;<a href="mailto:hide@address.com">hide@address.com</a>&gt;</tt>.
This FAQ is Copyright (C) 2002 by Gerald GARCIA.
Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are preserved on all copies.
Permission is granted to copy and distribute modified versions of this document under the conditions for verbatim copying, provided that this copyright notice is included exactly as in the original, and that the entire resulting derived work is distributed under the terms of a permission notice identical to this one.
Permission is granted to copy and distribute translations of this document into another language, under the above conditions for modified versions.
If you are intending to incorporate this document into a published work, please contact one of the maintainers, and we will make an effort to ensure that you have the most up to date information available.
There is no guarentee that this document lives up to its intended purpose. This is simply provided as a free resource. As such, the authors and maintainers of the information provided within can not make any guarentee that the information is even accurate.
These chapter is a copy of the one found in the GTK FAQ (<a href="http://www.gtk.org/faq" target="_top">http://www.gtk.org/faq</a>)
Return current item: IPTables log analyzer