This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: monitor changes to iptables

On 10/11/2017 12:47 AM, Daniel Doron wrote:
> Hi William,
> Thanks for the suggestion. Correct me if I am wrong but:
> 1. auditctl does not provide real time / online logging facility
> 2. I would have to parse its logs to the get the info I want
> 3. Does it also use kprobes to get the info? I'll need to strace it to
> see how it works...
> 
> I was thinking maybe monitor the ip_tables module directly, but I will
> need to figure out the relevant functions...

Hi Daniel,

The auditctl suggestion was a quick off the top of the head thought about some place that would have that information.  There is a timestamp in the audit log information, so if one knowns when the problems occurs it should be possible to identify the events in the audit log happening around that time.

It would be useful to describe what the problem that is being investigated.  That background would some context to steer the discussion towards approaches that would best solve the problem.

-Will
> 
> 
> 
> On Tue, Oct 10, 2017 at 11:17 PM, William Cohen <wcohen@redhat.com> wrote:
>> On 10/10/2017 10:49 AM, Daniel Doron wrote:
>>> Hi,
>>>
>>> I am trying to figure out a way to monitor and log changes to iptables
>>> (netfilter). Any ideas would be appreciated...
>>>
>>> Thanks.
>>> Daniel.
>>>
>>
>> Hi Daniel,
>>
>> Would you need to use systemtap for this or would using auditctl as mentioned in the following be sufficient?
>>
>> https://unix.stackexchange.com/questions/206891/audit-on-changes-to-the-running-iptables-configuration
>>
>>
>> -Will
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]