Easy viewing of the syslog of the D-Link DFL-860E firewall log using a PHP script
D-Link DFL firewalls have several drawbacks in the event log viewer using the web interface:
- a large data stream overflows the displayed event log and it is usually possible to view the logs only for a small period of time (several days, more often only for 1 day);
- to view the log you need to go to the web panel of the router (enter the password and login), select the status and display of the log. Without access to the web panel (not being the device administrator), it is impossible to view the logs, and sometimes you need to give access to view logs to a person who does not need to give a password to the device;
- in the log, the logs are broken up into small pages, and if the magazine is large it is tiresome to turn over such pages.
In DFL, you can send logs to a syslog server that will write a log to a file, although it is very inconvenient to read this file later because of its large size and inconvenient search.
For those who have the opportunity to use a web server running scripts in php, you can view the log using a small script:
')
The basis for this script was taken here kirsenn.ru/postfix-log-parser-php and remade to work with the syslog file, which gives D-Link DFL-860E. In the script settings, you need to specify the path to the syslog file and the restriction for the script to work on the maximum number of categories displayed on the screen. When launching the script, you need to specify the path (if it is in the settings is not necessary) and choose which category to show (by default displays all categories), it is also possible to select the date and time in the journal and the text to search (it will be highlighted in red in the output text).
In the directory in which the script itself will be located, you can put the help.txt file (it gives a hint by category):
Also, I threw the NetDefendOS_2.27.03_Log_Reference_Guide.pdf file (full detailed description of all categories) to it, which can be downloaded from ftp D-Link ftp.dlink.ru/pub/FireWall so that you can quickly peek at the hint if something is not clear in the log .
This script runs on the lighttpd web server in the freebsd 9.2.0.1 system (nas4free). To output the log from the DFL to the file, you need to configure the syslog server so that it receives information from the DFL and writes it to the file. For freebsd setup how to do it here niknav.ru/?p=266
Unfortunately, I didn’t find the newsyslog daemon in nas4free, so I’ll do the clearing of the bloated log manually (although the size of my log file is only about 4 MB for a couple of weeks, I turned off the output of some unnecessary events in the DFL log).
Tested on DFL-860E with Russian firmware 2.27.06.10. I think for other DFL series devices the script will also work, you just need to add (change) search categories here:
The result is approximately the output of the journal (there are almost no line breaks on the 1920x1080 monitor, viewing is more comfortable, at lower resolutions the monitor needs to reduce the font size so that the lines are not transferred and it is easier to read):
I hope this script will help the owners of DFL in viewing and analyzing logs from the device. Good luck!
- a large data stream overflows the displayed event log and it is usually possible to view the logs only for a small period of time (several days, more often only for 1 day);
- to view the log you need to go to the web panel of the router (enter the password and login), select the status and display of the log. Without access to the web panel (not being the device administrator), it is impossible to view the logs, and sometimes you need to give access to view logs to a person who does not need to give a password to the device;
- in the log, the logs are broken up into small pages, and if the magazine is large it is tiresome to turn over such pages.
In DFL, you can send logs to a syslog server that will write a log to a file, although it is very inconvenient to read this file later because of its large size and inconvenient search.
For those who have the opportunity to use a web server running scripts in php, you can view the log using a small script:
')
<?php $starttime = microtime(true); $start=0; // $ndstatus = "all"; $ndsearchred = ""; $ndqueueid = ""; ################## #SETTINGS // $default_log = "/mnt/WD1600BEVT/SYSLOG/syslog-dfl.log"; // $default_limit = 200; #END SETTINGS ################## if(isset($_GET["limit"])) $end = $_GET["limit"]; else $end = $default_limit; if(isset($_GET["logfilename"])) $logfilename = $_GET["logfilename"]; else $logfilename = $default_log; if(isset($_GET["queue"])) $ndqueueid = $_GET["queue"]; if(isset($_GET["ndsearchred"])) $ndsearchred = $_GET["ndsearchred"]; if(isset($_GET["status"])) $ndstatus = $_GET["status"]; // - $readlimit = false; if($ndstatus!=="errors" && $ndsearchred=="") $readlimit = true; $first=true; // $monthfrom = date("m"); $monthto = date("m"); $dayfrom = date("d"); $dayto = date("d"); $ndtimefrom = mktime(0,0,0); $ndtimeto = time(); // if(isset($_GET["monthfrom"])) $monthfrom = $_GET["monthfrom"]; if(isset($_GET["monthto"])) $monthto = $_GET["monthto"]; // if(isset($_GET["dayfrom"])) $dayfrom = $_GET["dayfrom"]; if(isset($_GET["dayto"])) $dayto = $_GET["dayto"]; // unixtime if(isset($_GET["timefrom"])) { if(strlen($_GET["timefrom"])>0) $ndtimefrom = mktime($_GET["timefrom"],0,0,$_GET["monthfrom"],$_GET["dayfrom"]); } if(isset($_GET["timeto"])) { if(strlen($_GET["timeto"])>0) $ndtimeto = mktime($_GET["timeto"],0,0,$_GET["monthto"],$_GET["dayto"]); } elseif(isset($_GET["monthto"])) { if(strlen($_GET["monthto"])>0) $ndtimeto = mktime(23,59,59,$_GET["monthto"],$_GET["dayto"]); } ?> <html> <head> <script>function open_win1(){var myWin=window.open("help.txt","Window","scrollbars=yes, resizable=yes,width=1360, height=655")}</script> <script>function open_win2(){var myWin=window.open("NetDefendOS_2.27.03_Log_Reference_Guide.pdf","Window","scrollbars=yes, resizable=yes,width=1360, height=655")}</script> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <title> syslog D-Link DFL-860e </title> <style> body, td { font-family:Tahoma,Verdana,Sans serif; font-size:13px; } .queue { border:1px #ccc solid; margin:5px; padding:5px; } small { color:#999; } a.email:link, a.email:visited { cursor:pointer; border-bottom:1px #000 dotted; text-decoration:none; color:#000; } </style> </head> <body> <form name="filterform"> <table border="0" cellpadding="5" cellspacing="5"> <tr> <td colspan="2"> <a name="begin" /></a> <h3> syslog D-Link DFL-860e </h3> </td> </tr> <tr> <td width="200px"> syslog : <br/><small> log </small> </td> <td> <input type="text" name="logfilename" value="<?=$logfilename; ?>" size="12" /> </td> </tr> <tr> <td width="200px"> : <br/><small> .<br/> CONN PPTP ALG ...</small> </td> <td> <input type="text" name="queue" value="<?=$ndqueueid; ?>" size="12" /> <input type="button" title="6 (CONN) State engine, / " value="CONN" OnClick="document.filterform.queue.value='CONN'" /> <input type="button" title="27 (PPTP) PPTP-" value="PPTP" OnClick="document.filterform.queue.value='PPTP'" /> <input type="button" title="2 (ALG) Application Layer Gateways" value="ALG" OnClick="document.filterform.queue.value='ALG'" /> <input type="button" title="32 (SYSTEM) : , .." value="SYSTEM" OnClick="document.filterform.queue.value='SYSTEM'" /> <input type="button" title="42 (IGMP) IGMP" value="IGMP" OnClick="document.filterform.queue.value='IGMP'" /> <input type="button" title="33 (TCP_FLAG) , TCP" value="TCP_FLAG" OnClick="document.filterform.queue.value='TCP_FLAG'" /> <input type="button" title="9 (DHCPSERVER) DHCP-" value="DHCPSERVER" OnClick="document.filterform.queue.value='DHCPSERVER'" /> <input type="button" title="3 (ARP) ARP" value="ARP" OnClick="document.filterform.queue.value='ARP'" /> <input type="button" title="49 (SESMGR) " value="SESMGR" OnClick="document.filterform.queue.value='SESMGR'" /> <input type="button" title="34 (TCP_OPT) , TCP" value="TCP_OPT" OnClick="document.filterform.queue.value='TCP_OPT'" /> <input type="button" title="60 (RULE) , " value="RULE" OnClick="document.filterform.queue.value='RULE'" /> <input type="button" title="70 (IP_PROTO) IP-" value="IP_PROTO" OnClick="document.filterform.queue.value='IP_PROTO'" /> <input type="button" title="18 (IPSEC) IPsec (VPN)" value="IPSEC" OnClick="document.filterform.queue.value='IPSEC'" /> <input type="button" title="37 (USERAUTH) (, RADIUS)" value="USERAUTH" OnClick="document.filterform.queue.value='USERAUTH'" /> <input type="button" title="35 (TIMESYNC) " value="TIMESYNC" OnClick="document.filterform.queue.value='TIMESYNC'" /> <input type="button" title="25 (PPP) PPP-" value="PPP" OnClick="document.filterform.queue.value='PPP'" /> <input type="button" title="31 (SNMP) SNMP" value="SNMP" OnClick="document.filterform.queue.value='SNMP'" /> <input type="button" title="41 (RFO) Route fail over" value="RFO" OnClick="document.filterform.queue.value='RFO'" /> </td> </tr> <tr> <td> / ( ) : <br/><small> </small> </td> <td> <input type="text" name="dayfrom" value="<?=$dayfrom; ?>" size="3" /> <input type="text" name="monthfrom" value="<?=$monthfrom; ?>" size="3" /> - <input type="text" name="dayto" value="<?=$dayto;?>" size="3" /> <input type="text" name="monthto" value="<?=$monthto; ?>" size="3" /> </td> </tr> <tr> <td> ( ) : <br/><small> 00-24</small> </td> <td> <input type="text" name="timefrom" value="<?php if(!isset($_GET["timefrom"])){echo "00";}else{echo $_GET["timefrom"];} ?>" size="3" /> - <input type="text" name="timeto" value="<?php if(isset($_GET["timeto"])) echo $_GET["timeto"]; ?>" size="3" /> </td> </tr> <tr> <td> : <br/><small> </small> </td> <td> <input type="text" name="ndsearchred" value="<?=$ndsearchred; ?>" size="12" /> </td> </tr> <tr> <td> : </td> <td> <input type="text" name="limit" value="<?php echo $end; ?>" size="4" /> </td> </tr> <tr> <td colspan="2"> <input type="submit" value=" " /> <input type="button" value=" " OnClick="window.location.href='index.php'" /> <input type="button" value=" " onclick="open_win1()"> <input type="button" value="NetDefendOS_2.27.03_Log_Reference_Guide.pdf" onclick="open_win2()"> </td> </tr> </table> </form> <?php if($ndtimefrom>$ndtimeto){die("Error: Invalid time period");} $filearray = @file($logfilename); if(!$filearray){die("Error: Can't open file. Check permissions.");} // krsort($filearray); reset($filearray); $array = array(); // foreach($filearray as $string) { // QUEUEID $regexp = "'.+: ([0-9_A-Z]*): (.+)$'"; // QUEUEID if(strlen($ndqueueid)>0){$regexp = "'^(.+): (".$ndqueueid."[0-9_A-Z]*): (.+)$'";} // if(preg_match($regexp,$string)) { $time = trim(preg_replace("'^(\w*)\s*(\d*) (\d\d:\d\d:\d\d).+$'","$1 $2 $3",$string)); $unixtime = strtotime($time); // if($unixtime<$ndtimefrom)break; // if($unixtime>$ndtimeto)continue; $queueid = trim(preg_replace("'^(.+): ([0-9_A-Z]*): (.+)$'","$2",$string)); $mess = htmlspecialchars(preg_replace("'(.+)($queueid):(.+)'","$3",$string)); if(!isset($array["$queueid"]["message"])) $array["$queueid"]["message"] =""; $array["$queueid"]["time"]= $unixtime; $array["$queueid"]["message"]= $time.$mess."<br/>".$array["$queueid"]["message"]; // if($first==true){$endperiod = $unixtime; $first=false;} $startperiod = $unixtime; // if($readlimit){if(count($array)>=$end){break;}} } } // if(count($array)==0){die(" log , .");} // arsort($array); reset($array); // echo "<b> : ".count($array)."</b><br/>"; echo "<b> : ".$end."</b><br/>"; printf("<b> log : %.2f Kb</b><br/>",filesize($logfilename)/1024); echo "<b> : ".date("dM H:i",$startperiod)." - ".date("dM H:i",$endperiod)."</b><br/>"; // foreach($array as $k => $sarray) { $process = " :"; // if(strlen($ndsearchred)>0) { if(!stripos($array[$k]["message"],$ndsearchred)){continue;} else $array[$k]["message"] = str_ireplace($ndsearchred,"<font color=\"#DB8040\">$ndsearchred</font>",$array[$k]["message"]); } // $array[$k]["message"] = preg_replace("'srcip='","<font color=\"green\">srcip=</font>",$array[$k]["message"]); $array[$k]["message"] = preg_replace("'destip'","<font color=\"green\">destip</font>",$array[$k]["message"]); $array[$k]["message"] = preg_replace("'srcport='","<font color=\"green\">srcport=</font>",$array[$k]["message"]); $array[$k]["message"] = preg_replace("'destport='","<font color=\"green\">destport=</font>",$array[$k]["message"]); $array[$k]["message"] = preg_replace("'action=reject'","<font color=\"#DBBE00\">action=reject</font>",$array[$k]["message"]); $array[$k]["message"] = preg_replace("'user='","<font color=\"blue\">user=</font>",$array[$k]["message"]); $array[$k]["message"] = preg_replace("'remotegw='","<font color=\"blue\">remotegw=</font>",$array[$k]["message"]); $array[$k]["message"] = preg_replace("'uptime='","<font color=\"green\">uptime=</font>",$array[$k]["message"]); $start++; echo "<div class=\"queue\"><b>$process ".$k." </b><br/>\n"; // echo $array[$k]["time"]."<br/>".$array[$k]["message"]."<br/>\n"; echo "</div>"; if($start>=$end){break;} } printf("<script>document.title='Time %.2f s'</script>",microtime(true)-$starttime); ?> </body> </html> The basis for this script was taken here kirsenn.ru/postfix-log-parser-php and remade to work with the syslog file, which gives D-Link DFL-860E. In the script settings, you need to specify the path to the syslog file and the restriction for the script to work on the maximum number of categories displayed on the screen. When launching the script, you need to specify the path (if it is in the settings is not necessary) and choose which category to show (by default displays all categories), it is also possible to select the date and time in the journal and the text to search (it will be highlighted in red in the output text).
In the directory in which the script itself will be located, you can put the help.txt file (it gives a hint by category):
1 () , 2 (ALG) Application Layer Gateways 3 (ARP) ARP 4 (BIGPOND) BigPond 5 (BUFFERS) , 6 (CONN) State engine,, / 7 (DHCP) DHCP- 8 (DHCPRELAY) DHCP relayer 9 (DHCPSERVER) DHCP- 10 () / 11 () 12 (HA) High Availability 13 (IDP) / 14 (IDP) IDP 15 (IP_) , - / IP- 16 (IP_) , IP- 17 (IP_OPT) , IP- 18 (IPSEC) IPsec (VPN) 19 (IP_) IP- 20 (FRAG) 21 (FWD) , 22 (GRE) GRE 23 (NETCON) Netcon ( -) 24 (OSPF) OSPF 25 (PPP) PPP- 26 (PPPOE) PPPoE- 27 (PPTP) PPTP- 28 (L2TP) L2TP- 29 (SLB) SLB 30 (SMTPLOG) SMTPLOG 31 (SNMP) SNMP 32 (SYSTEM) : , .. 33 (TCP_FLAG) , TCP 34 (TCP_OPT) , TCP 35 (TIMESYNC) 36 () : , .. 37 (USERAUTH) (, RADIUS) 38 (ZONEDEFENSE) ZoneDefense 39 (IFACEMON) 40 (HWM) 41 (RFO) Route fail over 42 (IGMP) IGMP 44 (TRANSPARENCY) , Transparent Mode 46 (BLACKLIST) 47 (SSHD) SSH- 48 (REASSEMBLY) , 49 (SESMGR) 50 (AVUPDATE) 51 (AVSE) 52 (VFS) VFS 53 (THRESHOLD) 56 (NATPOOL) , NAT 58 (ANTIVIRUS) , 59 (ANTISPAM) , 60 (RULE) , 70 (IP_PROTO) IP- Also, I threw the NetDefendOS_2.27.03_Log_Reference_Guide.pdf file (full detailed description of all categories) to it, which can be downloaded from ftp D-Link ftp.dlink.ru/pub/FireWall so that you can quickly peek at the hint if something is not clear in the log .
This script runs on the lighttpd web server in the freebsd 9.2.0.1 system (nas4free). To output the log from the DFL to the file, you need to configure the syslog server so that it receives information from the DFL and writes it to the file. For freebsd setup how to do it here niknav.ru/?p=266
Unfortunately, I didn’t find the newsyslog daemon in nas4free, so I’ll do the clearing of the bloated log manually (although the size of my log file is only about 4 MB for a couple of weeks, I turned off the output of some unnecessary events in the DFL log).
Tested on DFL-860E with Russian firmware 2.27.06.10. I think for other DFL series devices the script will also work, you just need to add (change) search categories here:
input type="text" name="queue" value="<?=$ndqueueid; ?>" size="12" /> <input type="button" title="6 (CONN) State engine, / " value="CONN" OnClick="document.filterform.queue.value='CONN'" /> The result is approximately the output of the journal (there are almost no line breaks on the 1920x1080 monitor, viewing is more comfortable, at lower resolutions the monitor needs to reduce the font size so that the lines are not transferred and it is easier to read):
I hope this script will help the owners of DFL in viewing and analyzing logs from the device. Good luck!
Source: https://habr.com/ru/post/219795/
All Articles