Location: PHPKode > projects > IPTables log analyzer > iptablelog/doc/faq.xml
<?xml version='1.0'?>

<book>
<bookinfo>
  <title>IPTables logs analyzer FAQ</title>
  <author><firstname>Gerald</firstname><surname>GARCIA</surname></author>
  <copyright><year>2002</year><holder>Gerald GARCIA</holder></copyright>
</bookinfo>
<preface>
  <title>Preface</title>
  <para>This document gathers some frequently asked questions on IPTables logs analyzer</para>
</preface>



<chapter>
  <title>General information</title>

  <para> This chapter gathers general information about IPTables logs analyzer</para>

  <sect1>
    <title>What is IPTables logs analyzer ?</title>
      <para>IPTables log analyzer displays Linux 2.4 iptables logs (rejected, accepted, and masqueraded packets) in a nice HTML page. The reports it produces are easy to read and understand, reducing the manual analysis time. They contain statistics on packets and links to more detailed information on a given host, port, or domain. 
      </para>
  </sect1>

  <sect1>
    <title>How does IPTables logs analyzer work ?</title>    
    <para>The IPTable Log Analyzer is composed of two different and separate parts :</para>
    <itemizedlist mark='opencircle'>
	<listitem><para>A database feeder : to read the log produced by iptable (generaly in /var/log/syslog) and store the packet in database
	  </para></listitem>
	<listitem><para>A web interface : to provide different views of the database stored packets
	  </para></listitem>
    </itemizedlist>
      <para>
	According to your network architecture, you can run directly the database feeder, the web interface and the database directly on the firewall,
	but you can chose to use existing hosts of your network as described bellow :	
      </para>
      <itemizedlist mark='opencircle'>
	<listitem><para>On the firewall : the database feeder
	  </para></listitem>
	<listitem><para>On a database host : MySql database
	  </para></listitem>
	<listitem><para>On a web server : PHP script of the web interface
	  </para></listitem>
    </itemizedlist>
      <para>
	The log analyzer is ready to receive data from different firewalls, so if your network is protected by several firewalls,
	you can run one database feeder on each firewall and gather information on a single database host.
      </para>
      <figure>
	<title>Typical large installation</title>
	<graphic fileref="schematic.png"/>
      </figure>
      <figure>
	<title>Typical single host installation</title>
	<graphic fileref="schematic-single.png"/>
      </figure>

  </sect1>

  <sect1>
    <title>Is there some screenshots availables ?</title>
      <figure>
	<title>Screenshot green theme</title>
	<graphic fileref="screenshoot.png"/>
      </figure>
      <figure>
	<title>Screenshot blue theme</title>
	<graphic fileref="screenshoot-blue.png"/>
      </figure>
  </sect1>
</chapter>

<chapter>
  <title>How to find, configure, install, and troubleshoot IPTables logs analyzer</title>

  <para> This chapter gathers install information about IPTables logs analyzer</para>

  <sect1>
    <title>Where can I get IPTables logs analyzer ?</title>
    <para>
Two sources :
<itemizedlist mark='opencircle'>
<listitem>
<para>
  Sourceforge based download at <ulink url="http://sourceforge.net/project/showfiles.php?group_id=63361">http://sourceforge.net/project/showfiles.php?group_id=63361</ulink>
</para>
</listitem>
<listitem>
<para>
  gege.org website at <ulink url="http://www.gege.org/iptables">http://www.gege.org/iptables</ulink> (main site but slow connection)
</para>
</listitem>
</itemizedlist>
      </para>
  </sect1>

  <sect1>
    <title>How do I configure/compile IPTables logs analyzer ?</title>
<itemizedlist>
<listitem>
	  <para>Creation of the database</para>
	  <itemizedlist>
	    <listitem>
	      <para>start the mysql client (with a user with rights to create databases, here root)</para>
	      <programlisting>> mysql -u root -p</programlisting>
	    </listitem>
	    <listitem>
	      <para>create the database (here called iptables)</para>
	      <programlisting>mysql> create database iptables;</programlisting>
	    </listitem>
	    <listitem>
	      <para>grant the mimimun rights to a user used to create the tables and fill the database
		(here the user iptables_admin will connect from localhost and with password xx)</para>
	      <programlisting>mysql> grant create,select,insert on iptables.* to hide@address.com identified by 'xx';</programlisting>
	    </listitem>
	    <listitem>
	      <para>grant select right to a user used by the php interface</para>
	      <programlisting>mysql> grant select on iptables.* to hide@address.com identified by 'xx';
mysql> grant create temporary tables  on iptables.* hide@address.com identified by 'xx';
	      </programlisting>
	    </listitem>
	    <listitem>
	      <para>exit from the mysql client and fill the database with the contents 
		of the file sql/db.sql (in the distribution)</para>
	      <programlisting>> cat db.sql | mysql -u iptables_admin -p iptables</programlisting>
	    </listitem>
	  </itemizedlist>
</listitem>
<listitem>
	  <para>Add the correct LOG rule to netfilter rules</para>
	  <itemizedlist>
	    <listitem>
	      <para>a rule for logging shall be established for example (to be carefully adapted to your situation) :</para>
<programlisting>
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP] : '
iptables -A LOG_DROP -j DROP
</programlisting>
	    </listitem>
	    <listitem>
	      <para>when you drop packets, you should replace DROP by LOG_DROP for example :</para>
<programlisting>
iptables -A INPUT -j LOG_DROP
</programlisting>
	    </listitem>
	    <listitem>
	      <para>you should check that the following king of lines apprears in your logs (/var/log/syslog for example) :</para>
<programlisting>
Sep 24 21:33:56 nuage kernel: [IPTABLES DROP] : IN=ppp0 OUT= MAC= SRC=62.202.81.132 DST=193.253.186.217 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=25302 DF PROTO=TCP SPT=3795 DPT=12345 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (0204058401010402)
</programlisting>
	    </listitem>
	    <listitem>
	      <para>To specify more chains, just ajust the log-prefix option. In the previous example DROP chain is defined. </para>
	      <para>If you use --log-prefix '[IPTABLES ACCEPT] : ' all the packets logs by this rule will be display in ACCEPT chain.</para>
	    </listitem>
	  </itemizedlist>
</listitem>
<listitem>
	  <para>Install the web interface</para>
	  <itemizedlist>
	    <listitem>
	      <para>Copy the files of the web directory of the directory under the document root of your web server</para>
	      <programlisting>cp -R web /var/www/iptables</programlisting>
	    </listitem>
	    <listitem>
	      <para>Configure the conf/config.php file according to your database settings (set correct values for user with select privilege to variables)</para>
	    </listitem>
	  </itemizedlist>
</listitem>
<listitem>
	  <para>Install database feeder</para>
	  <itemizedlist>
	    <listitem>
	      <para>Configure the feed_db.pl script to your database settings (set corret values for the user with select and insert privileges to variables)</para>
	    </listitem>
	    <listitem>
	      <para>Install the feed_db.pl script somewhere on your firewall (for example /usr/local/bin)</para>
	    </listitem>
	    <listitem>
	      <para>Copy the init.d script called "iptablelog" in the /etc/init.d directory (if you want to start feeder automaticaly)</para>
	    </listitem>
	    <listitem>
	      <para>Configure "iptablelog" script</para>
	    </listitem>
	    <listitem>
	      <para>start the script as root (or any user that can read the iptables logs) by :</para>
	      <programlisting>/etc/init.d/iptablelog start</programlisting>
	    </listitem>
	  </itemizedlist>
</listitem>
</itemizedlist>
  
<para>Congratulations, you should be able to access to the index.php page where you have copied the web directory !</para>
</sect1>

</chapter>


<chapter>
  <title>Customisation</title>

  <para> This chapter gathers information about customisation of the application</para>

<warning>
<para>
Need to be updated for the current version
</para>
</warning>

  <sect1>
    <title>How can I create my own stylesheet ?</title>
    <para>Simply copy a existing style sheet (for the web/themes) directory. Then modify it and add it
	in the configuration file.
    </para>
      <example><title>
	Example of adding a new style in config file</title>
	<programlisting>
#############################
# CSS STYLES
#############################
$css_style_default="my style";

$css_styles["default"]="iptables.css";
$css_styles["blue"]="iptables_blue.css";
$css_styles["my style"]="mystyle.css";
	</programlisting>
      </example>
  </sect1>

  <sect1>
    <title>How do I had personalized header/footer for generated tables ?</title>
    <para>
	For the moment, there is no easy way to do this. The best way to add custom header
	and footer is to edit the elems.php.
    </para>
  </sect1>

</chapter>

<chapter>
  <title>FAQ Contributions, Maintainers and Copyright</title>
  <para>
If you would like to make a contribution to the FAQ, send either one of us an e-mail message with the exact text you think should be included (question and answer). With your help, this document can grow and become more useful!
</para>
<para>
This document is maintained by Gerald GARCIA <email>hide@address.com</email>.
</para>
<para>
This FAQ is Copyright (C) 2002 by Gerald GARCIA.
</para>
<para>
Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are preserved on all copies.
</para>
<para>
Permission is granted to copy and distribute modified versions of this document under the conditions for verbatim copying, provided that this copyright notice is included exactly as in the original, and that the entire resulting derived work is distributed under the terms of a permission notice identical to this one.
</para>
<para>
Permission is granted to copy and distribute translations of this document into another language, under the above conditions for modified versions.
</para>
<para>
If you are intending to incorporate this document into a published work, please contact one of the maintainers, and we will make an effort to ensure that you have the most up to date information available.
</para>
<para>
There is no guarentee that this document lives up to its intended purpose. This is simply provided as a free resource. As such, the authors and maintainers of the information provided within can not make any guarentee that the information is even accurate.
</para>
<para>
These chapter is a copy of the one found in the GTK FAQ (<ulink url="http://www.gtk.org/faq">http://www.gtk.org/faq</ulink>)
</para>

</chapter>

</book>

Return current item: IPTables log analyzer