This is a simple perl script which reads ulog-acctd's logfile and
outputs data readable by mrtg.

I'm using it to graph data coming in, out and through my routerbox.
You can easily adjust it to account the traffic from/to specific ports
or whatever you like.

The script can only deal with the standard accounting format: 
accounting format="%h\t%t\t%p\t%s\t%S\t%d\t%D\t%P\t%b\t\"%i\"\t\"%o\"\t\"%f\"\n"

My router box has two interfaces: eth0, which is connected to my
cablemodem and eth1, which is connected to my internal network. My
router also acts as a server running multiple services which are
accesed from both the internet and my internal network.

I want to graph the traffic from the internet to my server and back,
the traffic from my internal net to my server and back, and the
traffic which is forwarded through my router. I also graph the packets
dropped by the firewall.

In order to accomplish this, you'll first have to insert the
appropriate rules into your firewall:


   $IPTABLES -I INPUT -i eth0 -j ULOG --ulog-nlgroup 1 --ulog-cprange 48 \
   	--ulog-qthreshold 50 --ulog-prefix "EXT_IN"
   
   $IPTABLES -I OUTPUT -o eth0 -j ULOG --ulog-nlgroup 1 --ulog-cprange 48 \
   	--ulog-qthreshold 50 --ulog-prefix "EXT_OUT"

   $IPTABLES -I INPUT -i $iface -j ULOG --ulog-nlgroup 1 --ulog-cprange 48 \
   	--ulog-qthreshold 50 --ulog-prefix "INT_IN"
   
   $IPTABLES -I OUTPUT -o $iface -j ULOG --ulog-nlgroup 1 --ulog-cprange 48 \
   	--ulog-qthreshold 50 --ulog-prefix "INT_OUT"
   
   $IPTABLES -I FORWARD -j ULOG --ulog-nlgroup 1 --ulog-cprange 48 \
   	--ulog-qthreshold 50 --ulog-prefix "FORWARD"
   
   $IPTABLES -N ldrop
   $IPTABLES -I ldrop -j ULOG --ulog-nlgroup 1 --ulog-cprange 48 \
   	--ulog-qthreshold 50 --ulog-prefix "DROP"
   $IPTABLES -A ldrop -m limit --limit 6/m \
   	-j LOG --log-level info --log-prefix "PKT DROP "
   $IPTABLES -A ldrop -j DROP


This also creates a new chain called 'ldrop' for logging and dropping
packets. Simply replace all your DROP targets by ldrop and the packets
will be logged by both syslog and ulog-acctd.

The ulog-acctd logfiles will have to be rotated every 5 minutes in
order to satisfy mrtg, which expects to be fed data in that interval.
I'm using the shellscript do_mrtg.sh to rotate the logs and run mrtg.
The script is run by cron every 5 minutes:

   */5 * * * *     /usr/local/bin/do_mrtg.sh

Please note that old logs are overwritten and their data is lost.

That should be all. Happy logging!

These scripts are written by Erik Hensema <erik@hensema.net> and
donated to the public domain.
