Feature Request: CSV Log Export and to Exclude IP's from logs

unmanaged · 5 December 2020 17:30

It would be great for us users who proactively parse firewall logs to have a CSV output feature to limit the post processing time it takes.

second, my firewall log is littered with “scanners” and “project” hits and I would like to be able to black list with a check box or button to exclude these from firewall logs and charts. I think this amounts to A DDOS attack IMHO because there are so many from shodan, censys, and others, I have no recourse but to ignore them and get them out of the logs to reduce noise …

Thanks for a great project,
Gavin

ummeegge · 5 December 2020 18:11

Hi Gavin,

As an idea may this one →

awk '/kernel:|IN=/' /var/log/messages | tr -s " " | tr ' ' ',' | sed 's/.$//'

OK, let´s leave only the same seconds out of the listing, tested with

$ awk '/kernel:|IN=/' /var/log/messages | tr -s " " | tr ' ' ',' | sed 's/.$//' | uniq | wc -l
83961

and

$ awk '/kernel:|IN=/' /var/log/messages | tr -s " " | tr ' ' ',' | sed 's/.$//' | wc -l       
83977

As an idea ?

Best,

Erik

ummeegge · 5 December 2020 18:35

Or if you want to time sort them with e.g. yesterday and pipe it to a file

grep -hE "`date --date="yesterday" +%b\ %e`" 'kernel:|IN=' /var/log/messages | tr -s " " | tr ' ' ',' | sed 's/.$//' | uniq > /tmp/fwlogs_csv

a fcronjob should be OK in that manner… Am not sure how you want to export it.

As another one.

Best,

Erik