Use afterglow to visualize iptables logs on CentOS, RHEL, Fedora

Overview

Earlier I wrote an article on setting up psad and argo firewall, this one is about using afterglow to visualize the iptables logs that are being monitored by psad. There are many reasons to perform this, I did it for fun, however this surely represents log information in a cleaner much nicer way.

Use afterglow to visualize iptables logs on CentOS, RHEL, Fedora

Graphviz and Text-CSV perl modules are the prerequisites. Most latest linux distros come with perl preinstalled, if not then install perl as well.


# yum install perl
# wget http://search.cpan.org/CPAN/authors/id/E/ER/ERANGEL/Text-CSV-0.5.tar.gz
# tar zxvf Text-CSV-0.5.tar.gz
# cd Text-CSV-0.5
# perl Makefile.PL
# make
# make install

Install graphviz, download the latest version of afterglow and untar it


# yum install graphviz
# wget http://sourceforge.net/projects/afterglow/files/latest/download?source=files
# tar zxvf afterglow-1.6.2.tar.gz

Now since you have followed my previous post on setting up psad and argo you have psad installed (If not click here). Afterglow can read data from CSV files, so the log file has to be converted to CSV format using psad.


# psad --CSV --CSV-fields "src dst dp sp" --CSV-max 1000 -m /var/log/firewall.log | perl /opt/afterglow/src/perl/graph/afterglow.pl -c /opt/afterglow/src/perl/parsers/color.properties | neato -Tjpg -o iptable_graph03.jpg

The command is self explanatory, psad is is being used to create CSV file with the CSV flag, the columns are src ip and ports, dst ip and ports the max entries being 1000 -m followed by the log file piped to afterglow perl script with the color.properties file and everything finally piped to neato utility that comes with the graphviz package to convert it to jpg file.

The color.properties file can be edited to create an image with colors of your choice.

Sample image from my logs.
iptable graph03 300x294 Use afterglow to visualize iptables logs on CentOS, RHEL, Fedora

Cheers!!!