Hi all, I personally feel the need for a few subcommands (parameters?) of ''shorewall hits'', for instance restricting the scope of the search to a certain date (or range of), or filtering events. The main purpose of the feature would be to unclutter the output of the command when the log files span over a long period, or are dense of hits. - date: I was thinking to something like ''shorewall hits NUMBER'', where ''number'' is the number of days to consider, starting from the current date. The very minimum would be something like ''shorewall hits today'', simply showing the hits for the day. - events: by relevance (say loglevel, as defined in shorewall.conf) by type: f.i. ''badpkt'', or ''rfc1918'', or what else. by ????: other criteria What do you think, would this be useful to anybody else? Thanks, Corrado
At 7/3/2003 09:45 +0200, C. Cau wrote:>I personally feel the need for a few subcommands (parameters?) of ''shorewall >hits'', for instance restricting the scope of the search to a certain date (or >range of), or filtering events."shorewall hits today" would be useful, I think. However, this is still something that is manually run, and you are always going to miss data (do you check this at 11:59pm?). For instance, I usually don''t get Saturday data on hits because the logs rotate while I''m sleeping. Of much, MUCH greater interest to me would be the automatic generation of a "shorewall hits" report at specific intervals, or immediately before the logs are rotated. The email address to which reports should be sent, and the frequency of these reports (daily, weekly, when-logs-rotate) could be variables set in shorewall.conf. This automatic report would save me from one more SSH login to the server, and keep me better informed. Such a regular report should also be easier to implement that creating new commands or parameters to "shorewall hits", I think... -- Rodolfo J. Paiz rpaiz@simpaticus.com
On Thu, 03 Jul 2003 02:02:39 -0600, Rodolfo J. Paiz <rpaiz@simpaticus.com> wrote:> At 7/3/2003 09:45 +0200, C. Cau wrote:> > Of much, MUCH greater interest to me would be the automatic generation of > a "shorewall hits" report at specific intervals, or immediately before > the logs are rotated. The email address to which reports should be sent, > and the frequency of these reports (daily, weekly, when-logs-rotate) > could be variables set in shorewall.conf. This automatic report would > save me from one more SSH login to the server, and keep me better > informed. > > Such a regular report should also be easier to implement that creating > new commands or parameters to "shorewall hits", I think... > >All of what you are asking can be done today with simple cron jobs. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington, USA \ teastep@shorewall.net
On Thu, 3 Jul 2003 09:45:10 +0200, C. Cau <ccau@itsyn.it> wrote:> Hi all, > > I personally feel the need for a few subcommands (parameters?) of > ''shorewall hits'', for instance restricting the scope of the search to a > certain date (or range of), or filtering events. > > The main purpose of the feature would be to unclutter the output of the > command when the log files span over a long period, or are dense of hits. > > - date: > > I was thinking to something like ''shorewall hits NUMBER'', where ''number'' > is the number of days to consider, starting from the current date. > > The very minimum would be something like ''shorewall hits today'', simply > showing the hits for the day. > > - events: > > by relevance (say loglevel, as defined in shorewall.conf) > by type: f.i. ''badpkt'', or ''rfc1918'', or what else. > by ????: other criteria > > > What do you think, would this be useful to anybody else? >Folks: a) I have no interest in writing log parsers (the ''hits'' command was written by Alex Polishchuk). b) The date-based reporting being requested would be much better done in Perl than in Bourne Shell (which is what Shorewall 1.4 is written in). I personally would much rather leave log reporting to those products that are targeted at that area (FAQ 6a) rather than adding more log reporting capabilities to Shorewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington, USA \ teastep@shorewall.net
On Thu July 3 2003 17:11, Tom Eastep wrote:> Folks:That meaning I''m not alone?> a) I have no interest in writing log parsers (the ''hits'' command was > written by Alex Polishchuk).Neither do I: there''s already plenty of these, some of which very good. On the other hand, I didn''t even think YOU should do it; you already have too much to do. It''s a personal itch of mine, and I can scratch it (if there''s general consensus that such a feature would be useful to anyone else).> I personally would much rather leave log reporting to those products that > are targeted at that area (FAQ 6a) rather than adding more log reporting > capabilities to Shorewall.Sorry, I think my point was not clear: the main idea was about _narrowing_ the scope (and output) of ''shorewall hits'', since it already exists, w/o resorting to a 3rd party application for log parsing. This is what I meant when proposing the ''today'' parameter; the rest (dates, events) is absolutely optional for me, but I thought that a more generic approach can extend the interested audience. Corrado