I administer an Ubunu Server exposed to the internet and have the need to monitor and keep track of all the network activity in a manner that allows me to analyze it afterwards.
I already tried some tools, such as tshark or tcpdump, which give me too much detail, vnstat, which does not give me the detail I want (It shows only the bandwidth), and tcptrack, which is OK as a real time monitoring tool but gives me no logging option for further analysis.
What I have in mind is something between tcptrack and vnstat:
A daemon which logs every connection and, when needed, it provides me with a comprehensive report showing IPs, ports and timestamps of every established connection, and every connection attempt (so, it should also show the SYN packets of the connections dropped by iptables).
Ideally (this is just a bonus point :), it would store information into some sql database, such as mysql or postgresql, which would allow to execute arbitrary select statements in order to obtain custom reports (for example, monitor all the activity coming from a single IP, or extract a list of all IPs using a specific service).
I must say that I already tried combining some tools, like logging with tcpdump and then showing the results using tcptrack, but I it didn't work as expected.
So, is there any tool close to this "idea"?
Best Answer
I think the easiest method to achieve what you want here will be the use of
iptablesalong with logging to either the LOG or ULOG targets.This will leave you with the following type of log information:
You'll then be able to use standard tools such as
awkorgrepto pull data from this when you want to see what's going on on this system.2 rules such as these should log any "NEW" connections that are either incoming or outgoing. These will prefix the rules so that they're esaier to spot:
Resulting in log entries like this:
References