[Shorewall-users] Log parsers that work with shorewall ?

Leslie Hazelton seawolf at attglobal.net
Fri Dec 19 11:15:46 PST 2003

Axel Westerhold wrote:

>On Thu, 2003-12-18 at 02:39, Leslie Hazelton wrote:
>>I would like to have a good log parser for my shorewall firewall. 
>>Specifically, I want detailed reports on iptables blocked packets, 
>>including date and time. I saw the list in (FAQ-6a) and got a copy of 
>>logwatch because Tom said it was the one he chose.
-- snip --
Hi there,

>the last time I had to deal with this for a customer I decided to use
>ulog and mysql. It is fast, easy enough to install and there are various
>ways to get an idea where, when and why packets got dropped/rejected. I
>think it is a really flexible solution.
>Axel Westerhold
>DTS Systeme GmbH
>Shorewall-users mailing list
>Post: Shorewall-users at lists.shorewall.net
>Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm

There was another suggestion in addition to this one, for "fwanalog".


I appreciate the suggestions, but both tools look like much more than I 
want/need.  My requirement was driven by responses from various 
"abuse at nnn.sites "  which refused to look into problems without an 
inline ASCII report which included source IP, port, date and time.  The 
tool I was using did not produce such a report.

For my small site, 6 systems with no external visible servers, I decided 
to hack a version of the logwatch "kernel" service to produce just the 
following report which should satisfy this requirement.


   From: cable-66-206-233-167.kapuskasing.dyn.personainc.net ( ( - 1 packet
     To: h-67-101-158-188.NYCMNY83.dynamic.covad.net ( ( - 1 packet
         Service: 27347 (tcp/27347) (Dec 18 19:36:01 chainlink kernel: Shorewall:net2all:DROP:,ppp0,none) - 1 packet

   From: - 3 packets
     To: h-67-101-158-188.NYCMNY83.dynamic.covad.net ( ( - 3 packets
         Service: 36330 (tcp/36330) (Dec 18 04:16:27 chainlink kernel: Shorewall:newnotsyn:DROP:,ppp0,none) - 1 packet
         Service: 36331 (tcp/36331) (Dec 18 04:16:27 chainlink kernel: Shorewall:newnotsyn:DROP:,ppp0,none) - 1 packet
         Service: 36332 (tcp/36332) (Dec 18 04:16:27 chainlink kernel: Shorewall:newnotsyn:DROP:,ppp0,none) - 1 packet

Thanks again for the suggestions.


Les Hazelton
--- Registered Linux user # 272996 ---

More information about the Shorewall-users mailing list