IPTables logs script analyser Files

#-------------------------#
#        History          #
#-------------------------#

One day I was borrowed by the awful lines of the iptables LOG target. So I looked
for a tool that displayed me a convenient report about the contents. I couldn't find
one that suits my need so I decided to wrote one.
First of all I thought writing it in C, but I ralized that would be horrible to do.
As I didn't know anything about perl, except it was powerful in dealing with text,
I decided to learn this wonderful language et write my project with it. I learned
perl in about one week ( not all perl, juste the parts used in this script ) and 
that's the result.


#-------------------------#
# Description / Audience  #
#-------------------------#

Firelog is a very useful tool for analysing iptables logs (you know these ugly 
lines produced by the -J LOG target). It then produces a small report in a file 
which you can mail to whoever you want. Thus it's main audience is system administrators
( even if there are better tools to do that ), but also people interested in just
having a look on what hapened on the wire during their holidays.
In addition, since it uses basic perl concepts, it can be used as a training by example for
people who want to learn perl.

The knowledge of iptables is higly required not unly for using this script but also for
understanding it's goals.

The main trick is that it uses a count number which permits you to only look
at the last n lines of your logs. You specify the file in which to save the number 
of lines trated the last one by using the -t switch ( default value ./number ). 

Let's suppose your iptables log has 5 lines ( I should maybe say, 5 logs generated by the 
LOG target of iptables since they are very long ). You should first crate a number file in 
which you write 0 since you never analysed this log file. Then you call firelog ( without
forgetting the -t switch ) and it produces a report, writing 5 in the number file.
A few days later, 3 new logs are present in the same log file. So you call firelog and it
only produces a report concernig the last 3 lines since it reads the number files and knowns
the last time it was calles it treated 5 lines.

#-------------------------#
#     Using firelog       #
#-------------------------#

This section contains a comprehensive example of using firelog in real life. It is the exact
usage I do of firelog.

My logs are saved weekly with a cron script. These logs includes the /var/log/kernel file
which contains, with many other things, the iptables logs. I want a daily report concerning
these logs, but only about what occured since the last report : I don't want a huge report at 
the end of each week ! So I did the following things : 

1. Make a suitables iptables script. It should containt whatever you want ( an example is given
with this release, the firewall script ). All you LOG target rules ( -j LOG option ) should have a prefix
( --log-prefix option ) which shouldn't contain any spaces.
In addition you must have a way to obtain a file with only the iptables logs : for me, all the prefix 
begin with "DROP_" so a simple grep DROP give me answear.

2. Enter description for each prefix in the fill_infos section of firelog.pl. This isn't really required
but is really very useful when you did'nt remeber what type of packets are matched by a prefix.

3. Customise you startup scripts so that the firewall is switched on at boot time. This isn't really 
necessary in general but if you use a firewall is should work all the time.

4. Choose a number file and write "0" inside.

5. Make suitables cron.daily and cron.weekly scripts. Daily you call firelog giving it the
number file, the input file and the output. Weekly, you can save you syslog and thus write
"0" in the number file. Examples are provided with this release.

That's all.

bubu.