iftop: how to log network connections for troubleshooting
In the previous article i did a short review of the iftop command, this article will show how to use this command to write the output in a log format, suitable for processing using monitoring tools, this can allow you to create alerts or reports based on the output.
Lets create a file named iftoplog.sh
touch iftoplog.shwrite the following commands to the file and save it
iftop -n -P -t -s1 -L1000 2> /dev/null | grep -i '=>\|<=' | tr -s " " | paste -d ' ' - - | cut -d " " -f5,10 | tr -d "[]" | awk -v hostname="$(hostname -f)" '{print hostname,$2,$1}' | sort -n | ts '%Y-%m-%dT%H:%M:%S' | tr -s " "give execute rights to the file
sudo chmod +x ./iftoplog.shplace it to /bin path
sudo mv ./iftoplog.sh /bininstall the ts command, this script needs also the ts command which was not installed on my ubuntu system, to install it:
sudo apt-get -y install moreutilsTesting the script
Testing the script manually should produce an output like this, be sure that you run this command as root or with sudo
# iftoplog.sh2020-01-12T15:35:07 nostromo 2a02:587:e3e:d700:cc8a:4e6f:447d::55554 114Kb 2001:648:2000:de::211:http 3,25Mb
2020-01-12T15:35:07 nostromo 2a02:587:e3e:d700:cc8a:4e6f:447d::56818 288b 2a00:1450:4001:816::200e:https 288b
- 1st column is the timestamp
- 2nd column is our server name
- 3rd column is the local ip address/port
- 4th column is the upload speed from our server
- 5th column is the remote ip address/port
- 6th column is the download speed from the remote ip address/port
Now we can create a cronjob to run every <n> minutes and append output to a file for further processing
* * * * * root /bin/iftoplog.sh >> /var/log/connections_iftop.logSome things to note here:
- There is no logrotate mechanism here, so if you dont create one on the log term you might face a disk space issue
- this cronjob runs evert 1 minute, adjust it to your needs
