Excuse me. Let's say / suppose that this topic was not there and never existed.
Because I spent too much time on this topic, and there are no results.
Surely you have more interesting and important classes than my problems. I have.
I apologize for the problem.
In this topic I stated that it does not make sense. viewtopic.php?p=2016062#p2016062
But I had a very strong desire to try.
Only I will write why.
Maybe this knowledge will be useful to someone.
1. Create a separate file /var/log/iptables.log for only iptables is impossible
Maybe it's possible for a programmer, I don't know.
Because iptables events are located in kern.warning
So it collects messages from iptables and other stuff in one place.
I tried kern.warning
redirect to /var/log/iptables.log file in /etc/rsyslog.d/50-default.conf
A. https://www.networkinghowtos.com/howto/ ... -log-file/
And it works, but it is nonsense to have kernel messages in two separate files: syslog
And this name " iptables.log " is misleading, where it includes also other messages.
2. What came to my mind?
Sometimes I only listen to music over the internet.
If the script did not detect a new connection for a long time,
it could track the opening of a file /var/log/iptables.log. This is a way to use less resources.
My idea is probably stupid or underdeveloped. Because creating a timer for each destination IP connection can use up my computer's resources even more .
Why not to log all connections without complications and filter log file itself afterwards.
The contents of the iptables log are of no value to me. Especially in the past tense.
The only important thing is whether there is a new connection at a certain moment.
- I can do this with inotify
to detect changes in iptables.log
- Or with comm
to compare old and new output of lsof
When the connection is still on,
You can check more, for example:
- Application name ( lsof -Pi
- PID number of this app ( lsof -Pi
- From where this app running ( you can search this in pstree -pt
- What files it opens. ( ps aux | grep name_of_proccess
You don't need to collect all your apps' data now.
For example, you can collect only time, application name and number of connections.
( You can collect more information. )
If you notice too frequent internet connections, unnecessary connection,
then you can build a trap for the given name of the application
( I mean then the script will collect more information when it detect a new connection with the specified name )
and the script will save to logs for you what it found.
Later, in your free time you can read the event logs.