[Shorewall-users] Log parsers that work with shorewall ?
seawolf at attglobal.net
Fri Dec 19 11:15:46 PST 2003
Axel Westerhold wrote:
>On Thu, 2003-12-18 at 02:39, Leslie Hazelton wrote:
>>I would like to have a good log parser for my shorewall firewall.
>>Specifically, I want detailed reports on iptables blocked packets,
>>including date and time. I saw the list in (FAQ-6a) and got a copy of
>>logwatch because Tom said it was the one he chose.
-- snip --
>the last time I had to deal with this for a customer I decided to use
>ulog and mysql. It is fast, easy enough to install and there are various
>ways to get an idea where, when and why packets got dropped/rejected. I
>think it is a really flexible solution.
>DTS Systeme GmbH
>Shorewall-users mailing list
>Post: Shorewall-users at lists.shorewall.net
There was another suggestion in addition to this one, for "fwanalog".
I appreciate the suggestions, but both tools look like much more than I
want/need. My requirement was driven by responses from various
"abuse at nnn.sites " which refused to look into problems without an
inline ASCII report which included source IP, port, date and time. The
tool I was using did not produce such a report.
For my small site, 6 systems with no external visible servers, I decided
to hack a version of the logwatch "kernel" service to produce just the
following report which should satisfy this requirement.
From: cable-66-206-233-167.kapuskasing.dyn.personainc.net (22.214.171.124) (126.96.36.199) - 1 packet
To: h-67-101-158-188.NYCMNY83.dynamic.covad.net (188.8.131.52) (184.108.40.206) - 1 packet
Service: 27347 (tcp/27347) (Dec 18 19:36:01 chainlink kernel: Shorewall:net2all:DROP:,ppp0,none) - 1 packet
From: 220.127.116.11 - 3 packets
To: h-67-101-158-188.NYCMNY83.dynamic.covad.net (18.104.22.168) (22.214.171.124) - 3 packets
Service: 36330 (tcp/36330) (Dec 18 04:16:27 chainlink kernel: Shorewall:newnotsyn:DROP:,ppp0,none) - 1 packet
Service: 36331 (tcp/36331) (Dec 18 04:16:27 chainlink kernel: Shorewall:newnotsyn:DROP:,ppp0,none) - 1 packet
Service: 36332 (tcp/36332) (Dec 18 04:16:27 chainlink kernel: Shorewall:newnotsyn:DROP:,ppp0,none) - 1 packet
Thanks again for the suggestions.
--- Registered Linux user # 272996 ---
More information about the Shorewall-users