AdminSysGNULinux

Outils pour utilisateurs

Outils du site

Piste : log_syslog_rsyslog docker_exemple_de_dockerfile_pour_debian pb_memoire_cpu_hardware_mcelog notes_commande_yum_rpm pb_podman_-_podman_system_migrate notes_ansible_-_validate_-_file_name_extension telephone_portable_android_connexion_pc_sous_gnu_linux notes_supervision_munin notes_ansible_semaphoreui iptables_log_avec_date_au_format_json
tech:iptables_log_avec_date_au_format_json

Ceci est une ancienne révision du document !

, ,

Iptables log avec date au format json

La conf ci-dessous a été faite avec une ancienne version de Rsyslog. Pour une version plus récente voir : https://www.rsyslog.com/doc/master/configuration/templates.html?highlight=template et rechercher jsonf

Pour tester les regex : https://regex101.com

/etc/rsyslog.d/40-iptables.conf 

$Template file_reset,"%msg:R,ERE,0,DFLT:LOG_S_([A-Za-z0-9\_\>\.]+).*--end%\n"
if ($syslogfacility-text == 'kern' and $syslogseverity-text == 'info') then /var/log/iptables.log;file_reset
& stop

/etc/rsyslog.d/41-iptables-json.conf 

###########################
###### INPUT FILES ########
###########################
 
module(load="imfile" mode="inotify")
 
 
input(type="imfile"
      File="/var/log/iptables.log"
      Tag="pf_plop/env_prod/profile_iptables/svcid_iptables/app/reset.json"
      Severity="info"
)
 
 
 
#################################
###### OUTPUT TO LOGHOSTS #######
#################################
 
 
 
#if $msg contains 'PROTO=TCP' and $msg contains 'DPT=10023' then /var/log/plop.log;DPT10023
#& stop
#if $msg contains 'PROTO=TCP' and $msg contains 'DPT=10024' then /var/log/plop.log;DPT10024
#& stop
#if $msg contains 'PROTO=TCP' then /var/log/plop.log;DPT
#& stop
 
 
#set $.format = $msg;
#if ( $msg contains 'DPT=10023' ) then set $.dpt = 'PLOP10023';
#if ( $msg contains 'DPT=10024' ) then set $.dpt = 'PLOP10024';
#else set $.dpt = '';
 
template(name="json_iptables" type="list" option.json="on") {
  constant(value="{")
  constant(value="\"timestamp\":\"")
    property(name="timereported" dateFormat="rfc3339")
  constant(value="\",\"host\":\"")
    property(name="hostname")
  constant(value="\",\"severity\":\"")
    property(name="syslogseverity-text")
  constant(value="\",\"facility\":\"")
    property(name="syslogfacility-text")
  constant(value="\",\"syslog-tag\":\"")
    property(name="syslogtag")
#  constant(value="\",\"DPT_LABEL\":\"")
#    property(name="$.dpt")
  constant(value="\",\"LOG_LABEL\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="^(LOG.*)IN=.*$")
  constant(value="\",\"IN\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="IN=([a-z0-9]+)")
  constant(value="\",\"SRC\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="SRC=([0-9\\.]+)")
  constant(value="\",\"DST\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="DST=([0-9\\.]+)")
  constant(value="\",\"LEN\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="LEN=([0-9]+)")
  constant(value="\",\"TOS\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="TOS=([0-9a-hx]+)")
  constant(value="\",\"PREC\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="PREC=([0-9a-hx]+)")
  constant(value="\",\"TTL\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="TTL=([0-9]+)")
  constant(value="\",\"SPT\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="SPT=([0-9]+)")
  constant(value="\",\"DPT\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="DPT=([0-9]+)")
  constant(value="\",\"WINDOW\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="WINDOW=([0-9]+)")
  constant(value="\",\"RES\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="RES=([0-9a-hx]+)")
  constant(value="\",\"FLAGS\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="^.*RES=0x00 (.*) URGP=0")
  constant(value="\",\"URGP\":\"")
    property(name="msg" regex.type="ERE" regex.submatch="1" regex.nomatchmode="BLANK" regex.expression="URGP=([01])")
  constant(value="\"}\n")
}
 
 
if $syslogtag == 'pf_plop/env_prod/profile_iptables/svcid_iptables/app/reset.json' then /var/log/plop.log;json_iptables
& stop

Test 

rsyslogd -N1
systemctl restart rsyslog
 
iptables -A INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 10024 -j LOG --log-prefix "RST_127.0.0.1:3000::" --log-level 6
iptables -A INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 10024 -j REJECT --reject-with tcp-reset
 
hping3 -RS 127.0.0.1 -p 10024 -c 1
# tail -1 /var/log/iptables.log
RST_127.0.0.1:3000::IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=2739 PROTO=TCP SPT=1651 DPT=10024 WINDOW=512 RES=0x00 RST SYN URGP=0

# tail -1 /var/log/plop.log |jq .
{
  "timestamp": "2021-06-02T12:47:40.685581+02:00",
  "host": "vmdeb1",
  "severity": "info",
  "facility": "local0",
  "syslog-tag": "pf_plop/env_prod/profile_reset/svcid_reset/app/reset.json",
  "LOG_LABEL": "RST_127.0.0.1:3000::",
  "IN": "lo",
  "SRC": "127.0.0.1",
  "DST": "127.0.0.1",
  "LEN": "40",
  "TOS": "0x00",
  "PREC": "0x00",
  "TTL": "64",
  "SPT": "1651",
  "DPT": "10024",
  "WINDOW": "512",
  "RES": "0x00",
  "FLAGS": "RST SYN",
  "URGP": "0"
}
tech/iptables_log_avec_date_au_format_json.1762877330.txt.gz · Dernière modification : de Jean-Baptiste
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki