or Create a profile

Home Suggestions

dd--wrt klogd firewall rules

sigals's Avatar

sigals

11 Nov, 2018 07:20 AM

I made this, it works on my dd-wrt router you could tweak the regex pretty easily for different log formats though.

{
    "firewall": {
        "display": "firewall #1",
        "path": "/opt/var/log/messages",
        "format": {
            "multiline": "Error",
            "regex": "|(.{3}) ([0-9]{1,2}) ([0-9]{1,2}):([0-9]{1,2}):([0-9]{1,2}) (DD-WRT) (kernel:) (DROP) (IN=vlan2) (OUT=) (MAC=)(([0-9a-f]{2}[:])+([0-9a-f]{2})) (SRC=)((([0-9]{1,3}[.]))+[0-9]{1,3}) (DST=)((([0-9]{1,3}[.]))+[0-9]{1,3}) (.*) (PROTO=)([A-Z]{3}) (SPT=)([0-9]{1,8}) (DPT=)([0-9]{1,8}) (.*)|",
            "match": {
                "Date": [1, " ", 2, " ", 3, ":", 4, ":", 5],
                "Status": 8,
                "Interface": 9,
                "MAC": 12,
                "SRC": 16,
                "DST": 20,
                "Protocol": 25,
                "Source Port": 27,
                "Destination Port": 29,
                "Message": [23, 30]
            },
            "types": {
                "Date": "date:M d H:i:s \/100",
                "Status": "txt",
                "Interface": "txt",
                "MAC": "txt",
                "SRC": "ip:geo",
                "DST": "txt",
                "Protocol": "txt",
                "Source Port": "port",
                "Destination Port": "port",
                "Message": "txt"
            }
        }
    }
}

It matches the following log format:

Nov 11 02:56:15 DD-WRT kernel: DROP IN=vlan2 OUT= MAC=10:bf:48:e6:b3:a3:28:8a:1c:ea:af:40:08:00:45:00:00:28 SRC=92.24.227.58 DST=127.0.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=59184 DF PROTO=TCP SPT=36165 DPT=23 SEQ=3870276455 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 
Nov 11 02:56:15 DD-WRT kernel: DROP IN=vlan2 OUT= MAC=10:bf:48:e6:b3:a3:28:8a:1c:ea:af:40:08:00:45:00:00:1c SRC=85.233.65.144 DST=127.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=232 ID=25958 PROTO=ICMP TYPE=8 CODE=0 ID=59598 SEQ=16529

Looks pretty sweet too.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Already uploaded files

  • 2018-11-11_07_18_16-Pimp_my_Log__firewall__1_.png 82.6 KB

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

  • New Issue

  • Conversation Started

    A conversation has been started with the Pimp my Log staff to resolve this discussion.

  • Close the discussion

Private Permissions

This discussion is private. Only you and Pimp my Log support staff can see and reply to it.

Public Permissions

This discussion is public. Everyone can see and reply to it.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

Recent Discussions

12 Jan, 2025 06:43 AM rotated gzipped files
22 May, 2024 05:04 PM Help you obtain Microsoft prize(capital, iPhone, etc.) to grow your business
02 Nov, 2023 10:57 AM Use this A.I. Tool to Generate Immediate Content
08 Oct, 2023 05:28 PM Helps you maximize your website revenue in 5 minutes
12 Aug, 2023 09:23 AM The *top secret* AI traffic hack

Recent Articles

Joomla
Docker Syslog server
MySQL
PHP installations with Suhosin extension and exotic ini settings
Signification of fields in an export