Axel Westerhold wrote:
>On Thu, 2003-12-18 at 02:39, Leslie Hazelton wrote:
>
>
>>I would like to have a good log parser for my shorewall firewall.
>>Specifically, I want detailed reports on iptables blocked packets,
>>including date and time. I saw the list in (FAQ-6a) and got a copy of
>>logwatch because Tom said it was the one he chose.
>>
>>
-- snip --
Hi there,
>the last time I had to deal with this for a customer I decided to use
>ulog and mysql. It is fast, easy enough to install and there are various
>ways to get an idea where, when and why packets got dropped/rejected. I
>think it is a really flexible solution.
>
>Axel Westerhold
>DTS Systeme GmbH
>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
>
>
>
There was another suggestion in addition to this one, for "fwanalog".
http://tud.at/programm/fwanalog/
http://freshmeat.net/projects/fwanalog/
I appreciate the suggestions, but both tools look like much more than I
want/need. My requirement was driven by responses from various
"abuse@nnn.sites " which refused to look into problems without an
inline ASCII report which included source IP, port, date and time. The
tool I was using did not produce such a report.
For my small site, 6 systems with no external visible servers, I decided
to hack a version of the logwatch "kernel" service to produce just the
following report which should satisfy this requirement.
----------------------------
From: cable-66-206-233-167.kapuskasing.dyn.personainc.net (66.206.233.167)
(66.206.233.167) - 1 packet
To: h-67-101-158-188.NYCMNY83.dynamic.covad.net (67.101.158.188)
(67.101.158.188) - 1 packet
Service: 27347 (tcp/27347) (Dec 18 19:36:01 chainlink kernel:
Shorewall:net2all:DROP:,ppp0,none) - 1 packet
From: 66.218.141.25 - 3 packets
To: h-67-101-158-188.NYCMNY83.dynamic.covad.net (67.101.158.188)
(67.101.158.188) - 3 packets
Service: 36330 (tcp/36330) (Dec 18 04:16:27 chainlink kernel:
Shorewall:newnotsyn:DROP:,ppp0,none) - 1 packet
Service: 36331 (tcp/36331) (Dec 18 04:16:27 chainlink kernel:
Shorewall:newnotsyn:DROP:,ppp0,none) - 1 packet
Service: 36332 (tcp/36332) (Dec 18 04:16:27 chainlink kernel:
Shorewall:newnotsyn:DROP:,ppp0,none) - 1 packet
-----------------
Thanks again for the suggestions.
--
Les Hazelton
--- Registered Linux user # 272996 ---