HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   need some help configuring fwlogwatch (http://www.howtoforge.com/forums/showthread.php?t=56660)

Ovidiu 23rd March 2012 11:19

need some help configuring fwlogwatch
 
the project is located here: http://fwlogwatch.inside-security.de/

and I installed the Debian version via apt-get. The firewall logs are written by apf-firewall.

After checking out every option in its config file this is a sample report I am getting but I really only want a summary but I can't seem to get it right. I.e. look at the first entries, they look identical. I'd love to get those summarized.

I can post my config file here if needed.

Code:

fwlogwatch summary

Generated Friday March 23 10:13:28 CET 2012 by root.
1775 (and 137 older than 86400 seconds) of 39649 entries in 2 input files are packet logs, 1775 have unique characteristics.
First packet log entry: Mar 22 10:18:14, last: Jan 01 01:00:00.

All entries were logged by the same host: "h1870666".
All entries have the same target: "-".
Only the top 50 entries are shown.
#        chain        interface        proto        source        hostname        destination        hostname        port        service        opts
1        [81018.503995] ** SDROP **                tcp        85.214.229.212        h1870666.stratoserver.net        31.184.242.127        -        80        www        SYN
1        [81021.536094] ** SDROP **                tcp        85.214.229.212        h1870666.stratoserver.net        31.184.242.127        -        80        www        SYN
1        [81047.626337] ** SDROP **                tcp        85.214.229.212        h1870666.stratoserver.net        31.184.242.127        -        80        www        SYN
1        [81050.660093] ** SDROP **                tcp        85.214.229.212        h1870666.stratoserver.net        31.184.242.127        -        80        www        SYN
1        [81134.093213] ** SDROP **                tcp        85.214.229.212        h1870666.stratoserver.net        31.184.242.127        -        80        www        SYN
1        [81137.124093] ** SDROP **                tcp        85.214.229.212        h1870666.stratoserver.net        31.184.242.127        -        80        www        SYN
1        [81524.648020] ** IN_TCP DROP **        eth0        tcp        74.118.195.188        tibiaredbot.com.br        85.214.229.212        h1870666.stratoserver.net        8752        -        sa----
1        [81895.986463] ** IDENT **        eth0        tcp        196.41.124.211        cpanel.cybersmart.co.za        85.214.229.212        h1870666.stratoserver.net        113        auth        SYN
1        [82011.656911] ** SDROP **                tcp        85.214.229.212        h1870666.stratoserver.net        31.184.242.127        -        80        www        SYN
1        [82014.688094] ** SDROP **                tcp        85.214.229.212        h1870666.stratoserver.net        31.184.242.127        -        80        www        SYN
1        [82213.123923] ** SDROP **                tcp        85.214.229.212        h1870666.stratoserver.net        31.184.242.127        -        80        www        SYN
1        [82216.156096] ** SDROP **                tcp        85.214.229.212        h1870666.stratoserver.net        31.184.242.127        -        80        www        SYN


Ovidiu 23rd March 2012 11:30

one step ahead right now, managed a little bit of summarization but not quite there. have a look. Why wouldn't the first two and the second two lines be combined?


Quote:

fwlogwatch summary

Generated Friday March 23 11:27:55 CET 2012 by root.
2286 (and 196 older than 86400 seconds) of 42358 entries in 2 input files are packet logs, 2272 have unique characteristics.
First packet log entry: Mar 22 11:31:00, last: Mar 23 09:06:46.

All entries were logged by the same host: "h1870666".
All entries have the same target: "-".
Only the top 50 entries are shown.
# chain interface source hostname destination hostname
3 [122722.930349] ** IN_TCP DROP ** eth0 221.192.199.49 - 85.214.229.212 h1870666.stratoserver.net
3 [136088.195078] ** IN_TCP DROP ** eth0 221.192.199.49 - 85.214.229.212 h1870666.stratoserver.net
3 [152954.629189] ** IN_TCP DROP ** eth0 58.218.199.227 - 85.214.229.212 h1870666.stratoserver.net
2 [90808.046695] ** IN_TCP DROP ** eth0 58.218.199.227 - 85.214.229.212 h1870666.stratoserver.net
2 [93661.021160] ** IN_TCP DROP ** eth0 221.192.199.49 - 85.214.229.212 h1870666.stratoserver.net
2 [100365.631003] ** IN_TCP DROP ** eth0 221.192.199.49 - 85.214.229.212 h1870666.stratoserver.net
2 [101198.482939] ** IN_TCP DROP ** eth0 58.218.199.227 - 85.214.229.212 h1870666.stratoserver.net


All times are GMT +2. The time now is 23:39.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.