Shorewall users - Dec 2003 - Log parsers that work with shorewall ?

I would like to have a good log parser for my shorewall firewall. 
Specifically, I want detailed reports on iptables blocked packets, 
including date and time. I saw the list in (FAQ-6a) and got a copy of 
logwatch because Tom said it was the one he chose.

I find that the kernel service provides a limited summary of dropped 
packets, but not in a format I can use.  Being somewhat lazy, I was 
wondering if anyone else is using logwatch and has made such 
modifications they would be willing to share.

I scanned the shorewall documentation and user guides looking for a page 
like the one where Tom shares his personal shorewall configuration but 
found nothing relating to logwatch. I also scanned google and the 
logwatch mailing list archive with the same results.

--- 
Les Hazelton
--- Registered Linux user # 272996 ---

On Thu, 2003-12-18 at 02:39, Leslie Hazelton wrote:
> I would like to have a good log parser for my shorewall firewall. 
> Specifically, I want detailed reports on iptables blocked packets, 
> including date and time. I saw the list in (FAQ-6a) and got a copy of 
> logwatch because Tom said it was the one he chose.
> 
> I find that the kernel service provides a limited summary of dropped 
> packets, but not in a format I can use.  Being somewhat lazy, I was 
> wondering if anyone else is using logwatch and has made such 
> modifications they would be willing to share.
> 
> I scanned the shorewall documentation and user guides looking for a page 
> like the one where Tom shares his personal shorewall configuration but 
> found nothing relating to logwatch. I also scanned google and the 
> logwatch mailing list archive with the same results.
> 
> --- 
> Les Hazelton
> --- Registered Linux user # 272996 ---
> 
Hi there,

the last time I had to deal with this for a customer I decided to use
ulog and mysql. It is fast, easy enough to install and there are various
ways to get an idea where, when and why packets got dropped/rejected. I
think it is a really flexible solution.

Axel Westerhold
DTS Systeme GmbH

Axel Westerhold wrote:
>On Thu, 2003-12-18 at 02:39, Leslie Hazelton wrote:
>  
>
>>I would like to have a good log parser for my shorewall firewall. 
>>Specifically, I want detailed reports on iptables blocked packets, 
>>including date and time. I saw the list in (FAQ-6a) and got a copy of 
>>logwatch because Tom said it was the one he chose.
>>    
>>
-- snip --
Hi there,
>the last time I had to deal with this for a customer I decided to use
>ulog and mysql. It is fast, easy enough to install and there are various
>ways to get an idea where, when and why packets got dropped/rejected. I
>think it is a really flexible solution.
>
>Axel Westerhold
>DTS Systeme GmbH
>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
>
>  
>
There was another suggestion in addition to this one, for "fwanalog".

http://tud.at/programm/fwanalog/
http://freshmeat.net/projects/fwanalog/

I appreciate the suggestions, but both tools look like much more than I 
want/need.  My requirement was driven by responses from various 
"abuse@nnn.sites "  which refused to look into problems without an 
inline ASCII report which included source IP, port, date and time.  The 
tool I was using did not produce such a report.

For my small site, 6 systems with no external visible servers, I decided 
to hack a version of the logwatch "kernel" service to produce just the
following report which should satisfy this requirement.

----------------------------

   From: cable-66-206-233-167.kapuskasing.dyn.personainc.net (66.206.233.167)
(66.206.233.167) - 1 packet
     To: h-67-101-158-188.NYCMNY83.dynamic.covad.net (67.101.158.188)
(67.101.158.188) - 1 packet
         Service: 27347 (tcp/27347) (Dec 18 19:36:01 chainlink kernel:
Shorewall:net2all:DROP:,ppp0,none) - 1 packet

   From: 66.218.141.25 - 3 packets
     To: h-67-101-158-188.NYCMNY83.dynamic.covad.net (67.101.158.188)
(67.101.158.188) - 3 packets
         Service: 36330 (tcp/36330) (Dec 18 04:16:27 chainlink kernel:
Shorewall:newnotsyn:DROP:,ppp0,none) - 1 packet
         Service: 36331 (tcp/36331) (Dec 18 04:16:27 chainlink kernel:
Shorewall:newnotsyn:DROP:,ppp0,none) - 1 packet
         Service: 36332 (tcp/36332) (Dec 18 04:16:27 chainlink kernel:
Shorewall:newnotsyn:DROP:,ppp0,none) - 1 packet
-----------------

Thanks again for the suggestions.

-- 

Les Hazelton
--- Registered Linux user # 272996 ---