Graphically monitoring pflog [Archive] - Screaming Electron Forums

bmh

February 8th, 2003, 23:23

Hi everyone,

I'm after a few suggestions as to the best way to graphically monitor my pflog.

Currently I visually grep my logs ( ;) ) and have made a few basic scripts to add to this, but I'd like to investigate a graphical way of displaying various statistics etc about some of the denied traffic etc.

Is there a good way to perhaps integrate it with MRGT for some pretty graphs?

Anything you can suggest would be appreciated.

cheers

brett

soup4you2

February 9th, 2003, 15:20

what about doing something like using snort + mysql and acid which is a graphical frontend for snort.

thats a nice thing to have setup..

another nice thing i've found is colorize which is a small perl script that you can tail the command to your tail and your logs are in pretty colors.

here's a small tutorial i wrote on snort..
http://bsdhound.com/modules.php?name=News&file=article&sid=56

cod3fr3ak

March 20th, 2003, 12:04

The perl script sounds good.

soup4you2

March 20th, 2003, 14:51

you should have a port called colorize

that would be the nice script

just try it out by

tail -f /var/log/foo.bar | colorize.pl

you can also have it do some other nifty things like output it to html

also i'm going to make another post w/ a good php script to look at your firewall logs..

soup4you2

March 20th, 2003, 14:53

[code:1:fe9f9064fd]
<?

$file = "ipflog";
$lan = "10.0.1.";
$router = "10.0.1.254";

if(!($end)) {
$fd = fopen($file, r);

for($i = 0; !feof($fd); $i++) {
$lines[] = fgets($fd, 4096);
}

$end = count($lines);
$end = $end - 1;
$total = $end;
}

function cut($file, $start, $end, $total, $amount) {

if($total) {

if($amount) {

if($start < 1) {
$start = 1;
$end = $start + $amount;
}

if($end > $total) {
$end = $total;
$start = $end - $amount;
}

} else {

if($start < 1) {
$start = 1;
$end = $start + 25;
}

if($end > $total) {
$end = $total;
$start = $end - 25;
}
}
}

$fd = fopen($file, r);

for($i = 0; $i < $start ; $i++) {
$line = fgets($fd, 4096);

if(feof($fd) || !$line) {
return;
}
}
$j = 0;

for(; $i < $end; $i++) {
$line = fgets($fd, 4096);

if($line && !feof($fd)) {
$out[$j++] = $line;

} else {
return $out;
}
}
return $out;
}

if($cmd == "cut") {

if($cut == "Prev") {

if($amount) {
$end = $end - $amount;
$start = $end - $amount;

} else {
$end = $end - 25;
$start = $end - 25;
}
$log = cut($file, $start, $end, $total, $amount);

} else {

if($amount) {
$start = $end;
$end = $end + $amount;

} else {
$start = $end;
$end = $end + 25;
}
$log = cut($file, $start, $end, $total, $amount);
}

} elseif($cmd == "show") {
$log = cut($file, $start, $end, $total, $amount);

for($i = 0; $i < count($log); $i++) {

if(ereg($ts, $log[$i])) {
echo "$log[$i]";
}
}

} elseif($cmd == "jump") {

if($amount) {
$end = $start + $amount;

} else {
$end = $start + 25;
}
$log = cut($file, $start, $end, $total, $amount);

} else {

if($amount) {
$start = $end - $amount;

} else {
$start = $end - 25;
}
$log = cut($file, $start, $end, $total, $amount);
}

if($cmd != "show") {
if($total) {

if($amount) {

if($start < 1) {
$start = 1;
$end = $start + $amount;
}

if($end > $total) {
$end = $total;
$start = $end - $amount;
}

} else {

if($start < 1) {
$start = 1;
$end = $start + 25;
}

if($end > $total) {
$end = $total;
$start = $end - 25;
}
}
}

echo "<HTML>\n";
echo "<HEAD>\n";
echo " <TITLE>IPF Logview</TITLE>\n";
echo "</HEAD>\n";
echo "<BODY BGCOLOR=WHITE TEXT=BLACK LINK=BLACK VLINK=BLACK>\n";
echo "<TABLE>\n";
echo "<TR>\n";

if($start > 1) {
echo " <TD>\n";
echo " <FORM METHOD=POST ACTION=#>\n";

if($amount) {
echo " <INPUT TYPE=HIDDEN NAME=amount VALUE=$amount>\n";
}

echo " <INPUT TYPE=HIDDEN NAME=end VALUE=$end>\n";
echo " <INPUT TYPE=HIDDEN NAME=cmd VALUE=cut>\n";
echo " <INPUT TYPE=HIDDEN NAME=total VALUE=$total>\n";
echo " <INPUT TYPE=SUBMIT NAME=cut VALUE=Prev>\n";
echo " </FORM>\n";
echo " </TD>\n";
}

echo " <TD>\n";
echo " <FORM METHOD=POST ACTION=#>\n";
echo " <SELECT NAME=amount ONCHANGE=this.form.submit()>\n";

if($amount) {
echo " <OPTION SELECTED VALUE=$amount>$amount\n";

} else {
echo " <OPTION SELECTED VALUE=25>25\n";
}

echo " <OPTION VALUE=10>10\n";
echo " <OPTION VALUE=25>25\n";
echo " <OPTION VALUE=50>50\n";
echo " <OPTION VALUE=100>100\n";
echo " <OPTION VALUE=250>250\n";
echo " <OPTION VALUE=500>500\n";
echo " </SELECT>\n";
echo " <INPUT TYPE=HIDDEN NAME=end VALUE=$end>\n";
echo " <INPUT TYPE=HIDDEN NAME=total VALUE=$total>\n";
echo " </FORM>\n";
echo " </TD>\n";

echo " <TD>\n";
echo " <FORM METHOD=POST ACTION=#>\n";

if($amount) {
echo " <INPUT TYPE=HIDDEN NAME=amount VALUE=$amount>\n";
}

echo " <INPUT TYPE=HIDDEN NAME=cmd VALUE=jump>\n";
echo " <INPUT TYPE=HIDDEN NAME=total VALUE=$total>\n";
echo " <INPUT TYPE=TEXT SIZE=8 NAME=start>\n";
echo " </FORM>\n";
echo " </TD>\n";

if($total > $end) {
echo " <TD>\n";
echo " <FORM METHOD=POST ACTION=#>\n";

if($amount) {
echo " <INPUT TYPE=HIDDEN NAME=amount VALUE=$amount>\n";
}

echo " <INPUT TYPE=HIDDEN NAME=end VALUE=$end>\n";
echo " <INPUT TYPE=HIDDEN NAME=cmd VALUE=cut>\n";
echo " <INPUT TYPE=HIDDEN NAME=total VALUE=$total>\n";
echo " <INPUT TYPE=SUBMIT NAME=cut VALUE=Next>\n";
echo " </FORM>\n";
echo " </TD>\n";
}

echo " <TD>\n";
echo " <B>Viewing lines $start to $end of $total</B>\n";
echo " </TD>\n";
echo "</TR>\n";
echo "</TABLE>\n";
echo "<TABLE BORDER=1>\n";
echo "<TR BGCOLOR=BLACK>\n";
echo " <TD ALIGN=CENTER><FONT COLOR=WHITE>Date</FONT></TD>\n";
echo " <TD ALIGN=CENTER><FONT COLOR=WHITE>Host</FONT></TD>\n";
echo " <TD ALIGN=CENTER><FONT COLOR=WHITE>Timestamp</FONT></TD>\n";
echo " <TD ALIGN=CENTER><FONT COLOR=WHITE>C</FONT></TD>\n";
echo " <TD ALIGN=CENTER><FONT COLOR=WHITE>If</FONT></TD>\n";
echo " <TD ALIGN=CENTER><FONT COLOR=WHITE>Rule</FONT></TD>\n";
echo " <TD ALIGN=CENTER><FONT COLOR=WHITE>Act</FONT></TD>\n";
echo " <TD ALIGN=CENTER><FONT COLOR=WHITE>Src</FONT></TD>\n";
echo " <TD ALIGN=CENTER><FONT COLOR=WHITE>Port</FONT></TD>\n";
echo " <TD ALIGN=CENTER><FONT COLOR=WHITE>Dest</FONT></TD>\n";
echo " <TD ALIGN=CENTER><FONT COLOR=WHITE>Port</FONT></TD>\n";
echo " <TD ALIGN=CENTER><FONT COLOR=WHITE>Proto</FONT></TD>\n";
echo " <TD ALIGN=CENTER><FONT COLOR=WHITE>Hlen/Tot</FONT></TD>\n";
echo " <TD ALIGN=CENTER><FONT COLOR=WHITE>Flags</FONT></TD>\n";
echo " <TD ALIGN=CENTER><FONT COLOR=WHITE>Keep</FONT></TD>\n";
echo " <TD ALIGN=CENTER><FONT COLOR=WHITE>Dir</FONT></TD>\n";
echo "</TR>\n";

for($i = 0; $i < count($log); $i++) {
$field = split("[[:space:]]+", $log[$i]);

$date = "$field[0] $field[1] $field[2]";
$host = "$field[3]";
$ts = "$field[5]";

if(substr($field[6], -1) == "x") {
$c = "$field[6]";
}

if(strlen($c) > 0) {
$interface = "$field[7]";
$rule = "$field[8]";
$act = "$field[9]";

} else {
$interface = "$field[6]";
$rule = "$field[7]";
$act = "$field[8]";
}

if(strlen($c) > 0) {
list($src, $srcport) = split(",", $field[10]);
$check = getservbyport($srcport, $field[14]);

if($check != "") {
$srcportname = "$check";
}

} else {
list($src, $srcport) = split(",", $field[9]);
$check = getservbyport($srcport, $field[13]);

if($check != "") {
$srcportname = "$check";
}
}

if(strlen($c) > 0) {
list($dest, $destport) = split(",", $field[12]);
$check = getservbyport($destport, $field[14]);

if($check != "") {
$destportname = "$check";
}

} else {
list($dest, $destport) = split(",", $field[11]);
$check = getservbyport($destport, $field[13]);

if($check != "") {
$destportname = "$check";
}
}

if(strlen($c) > 0) {
$proto = "$field[14]";
$hlen = "$field[16]";
$tot = "$field[17]";

} else {
$proto = "$field[13]";
$hlen = "$field[15]";
$tot = "$field[16]";
}

if(strlen($c) > 0) {

if($field[14] == "icmp") {
$flags = "$field[19]";
$dir = "$field[20]";

} else {
$flags = "$field[18]";
$dir = "$field[19]";
}

} else {
if($field[13] != "udp") {
if($field[13] == "igmp") {
$dir = "$field[17]";

} else {
$flags = "$field[17]";
}

} else {
$dir = "$field[17]";
}

if($field[18] == "OUT") {
$dir = "$field[18]";

} elseif($field[17] == "icmp") {
$flags = "$field[18]";
$dir = "$field[19]";

} elseif($field[18] == "IN") {
$dir = "$field[18]";

} elseif($field[13] != "udp" && $field[13] != "igmp") {
$keep = "$field[18] $field[19]";
$dir = "$field[20]";
}
}

echo "<TR>\n";
echo " <TD>$date</TD>\n";
echo " <TD>$host</TD>\n";

echo " <TD><A HREF=# ONCLICK=\"window.open('?cmd=show&ts=$ts&start=$sta rt&end=$end', '_blank', 'toolbar=no, location=no, status=no, menub
ar=no, height=100,innerheight=100,width=800,innerwidth=80 0');\">$ts</A></TD>\n";

if($c == "") {
$c = "&nbsp";
}

echo " <TD><B>$c</B></TD>\n";
echo " <TD>$interface</TD>\n";
echo " <TD>$rule</TD>\n";

if($act == "b") {
echo " <TD><FONT COLOR=RED>block</FONT></TD>\n";

} else {
echo " <TD><FONT COLOR=GREEN>pass</FONT></TD>\n";
}

if(ereg("$lan", $src)) {
echo " <TD><FONT COLOR=BLUE>$src</FONT></TD>\n";

} elseif(ereg("$router", $src)) {
echo " <TD><FONT COLOR=BLUE><B>$src</B></FONT></TD>\n";

} else {
echo " <TD>$src</TD>\n";
}

if($srcport == "") {
$srcport = "&nbsp";
}

if($srcportname == "www") {
echo " <TD><A HREF=http://$src TARGET=_blank>$srcportname</A> ($srcport)</TD>\n";

} elseif($srcportname == "ftp") {
echo " <TD><A HREF=ftp://$src TARGET=_blank>$srcportname</A> ($srcport)</TD>\n";

} elseif($srcportname != "") {
echo " <TD>$srcportname ($srcport)</TD>\n";

} else {
echo " <TD>$srcport</TD>\n";
}

if(ereg("$lan", $dest)) {
echo " <TD><FONT COLOR=BLUE>$dest</FONT></TD>\n";

} elseif(ereg("$router", $dest)) {
echo " <TD><FONT COLOR=BLUE><B>$dest</B></FONT></TD>\n";

} else {
echo " <TD>$dest</TD>\n";
}

if($destport == "") {
$destport = "&nbsp";
}

if($destportname == "www") {
echo " <TD><A HREF=http://$dest TARGET=_blank>$destportname</A> ($destport)</TD>\n";

} elseif($destportname == "ftp") {
echo " <TD><A HREF=ftp://$dest TARGET=_blank>$destportname</A> ($destport)</TD>\n";

} elseif($destportname != "") {
echo " <TD>$destportname ($destport)</TD>\n";

} else {
echo " <TD>$destport</TD>\n";
}

echo " <TD>$proto</TD>\n";

if($hlen != "20") {
echo " <TD><B>$hlen</B>/$tot</TD>\n";

} else {
echo " <TD>$hlen/$tot</TD>\n";
}

if($flags == "") {
$flags = "&nbsp";
}

echo " <TD>$flags</TD>\n";

if($keep == "") {
$keep = "&nbsp";
}

echo " <TD>$keep</TD>\n";

if($dir == "for") {
echo " <TD><B>RE</B></TD>\n";

} else {
echo " <TD>$dir</TD>\n";
}

echo "</TR>\n";

unset($date);
unset($host);
unset($c);
unset($if);
unset($rule);
unset($act);
unset($src);
unset($srcport);
unset($srcportname);
unset($dest);
unset($destport);
unset($destportname);
unset($proto);
unset($hlentot);
unset($tot);
unset($flags);
unset($keep);
unset($dir);
}

echo "</TABLE>\n";
echo "</BODY>\n";
echo "</HTML>\n";
}

?>
[/code:1:fe9f9064fd]