Hi all -
psad-2.0.8 has been released:
This release adds a whole new set of --gnuplot options so that iptables
log data can be visualized with Gnuplot in addition to AfterGlow. I
gave a talk about this at OSCON, and here are the slides in case anyone
Here is a blog post with a couple of the graphs visible:
Here is the 2.0.8 ChangeLog (many thanks to all who have contributed):
- Added --gnuplot mode so that psad can output data that is suitable
for plotting with gnuplot. All output produced in this mode is integer
data with the exception of date stamps that are derived from iptables
- Added the ability to negate match conditions on fields specified with
the --CSV-fields argument by prepending the string "not" (which plays
more nicely with shells like bash than a character like "!"). For
example, to graph all packet data in --gnuplot or --CSV modes that
originates from the 126.96.36.199/16 subnet and is not destined for port
80, the following argument does the trick:
--CSV-fields "src:188.8.131.52/16 dp:not80"
- In --gnuplot mode, added the ability to generate the count for a CSV
field instead of the field itself. Supported modes are an absolute
count (<field>:count) , and a unique count (<field>:uniqcount). This
is useful to plot graphs of source IP vs. the number unique ports for
example. Also added the ability to count iptables log fields over
various time scales (minutes, hours, and days) with the following
switches: <field>:countday, <field>:counthour, <field>:countmin.
- In --gnuplot mode, added the ability to specify the view coordinates
for 3D graph viewing with --gnuplot-view.
- Added the Storable-2.16 module along with the --use-store-file argument
so that in --gnuplot mode the Gnuplot data can be stored on disk and
retrieve quickly. This eliminates a large performance bottleneck when
Gnuplot configuration directives are tweaked while the same graph is
generated multiple times.
- Added --gnuplot-template so that a template file can be used for all
Gnuplot directives (usually psad creates the .gnu file based on the
--gnuplot command line arguments).
- Added --gnuplot-grayscale to generate graphs without the default red
color for graph points.
- Bugfix for regular expressions not being imported correctly from
within the --CSV-fields argument.
- Added --analysis-fields so the iptables log messages that are parsed in
-A mode can be restricted to those that meet certain criteria. For
example, to restrict the analyze mode to process packets with a source
address of 192.168.10.1, use this command:
psad -A --analysis-fields "src:192.168.10.1"
- Added --plot-separator to allow the format of plot data (either in
--gnuplot or --CSV modes) to be influenced by the user.
- Added the ability to configure the syslog facility and priority via
the psad.conf file (see the SYSLOG_FACILITY and SYSLOG_PRIORITY
- Updated psad.spec file to respect the %_initrddir RPM macro.
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F