need some help configuring fwlogwatch

[Ovidiu]

the project is located here: http://fwlogwatch.inside-security.de/

and I installed the Debian version via apt-get. The firewall logs are written by apf-firewall.

After checking out every option in its config file this is a sample report I am getting but I really only want a summary but I can't seem to get it right. I.e. look at the first entries, they look identical. I'd love to get those summarized.

I can post my config file here if needed.

Code:

fwlogwatch summary

Generated Friday March 23 10:13:28 CET 2012 by root. 
1775 (and 137 older than 86400 seconds) of 39649 entries in 2 input files are packet logs, 1775 have unique characteristics. 
First packet log entry: Mar 22 10:18:14, last: Jan 01 01:00:00. 

All entries were logged by the same host: "h1870666". 
All entries have the same target: "-". 
Only the top 50 entries are shown.
#	chain	interface	proto	source	hostname	destination	hostname	port	service	opts
1	[81018.503995] ** SDROP **		tcp	85.214.229.212	h1870666.stratoserver.net	31.184.242.127	-	80	www	SYN
1	[81021.536094] ** SDROP **		tcp	85.214.229.212	h1870666.stratoserver.net	31.184.242.127	-	80	www	SYN
1	[81047.626337] ** SDROP **		tcp	85.214.229.212	h1870666.stratoserver.net	31.184.242.127	-	80	www	SYN
1	[81050.660093] ** SDROP **		tcp	85.214.229.212	h1870666.stratoserver.net	31.184.242.127	-	80	www	SYN
1	[81134.093213] ** SDROP **		tcp	85.214.229.212	h1870666.stratoserver.net	31.184.242.127	-	80	www	SYN
1	[81137.124093] ** SDROP **		tcp	85.214.229.212	h1870666.stratoserver.net	31.184.242.127	-	80	www	SYN
1	[81524.648020] ** IN_TCP DROP **	eth0	tcp	74.118.195.188	tibiaredbot.com.br	85.214.229.212	h1870666.stratoserver.net	8752	-	sa----
1	[81895.986463] ** IDENT **	eth0	tcp	196.41.124.211	cpanel.cybersmart.co.za	85.214.229.212	h1870666.stratoserver.net	113	auth	SYN
1	[82011.656911] ** SDROP **		tcp	85.214.229.212	h1870666.stratoserver.net	31.184.242.127	-	80	www	SYN
1	[82014.688094] ** SDROP **		tcp	85.214.229.212	h1870666.stratoserver.net	31.184.242.127	-	80	www	SYN
1	[82213.123923] ** SDROP **		tcp	85.214.229.212	h1870666.stratoserver.net	31.184.242.127	-	80	www	SYN
1	[82216.156096] ** SDROP **		tcp	85.214.229.212	h1870666.stratoserver.net	31.184.242.127	-	80	www	SYN

[Ovidiu]

one step ahead right now, managed a little bit of summarization but not quite there. have a look. Why wouldn't the first two and the second two lines be combined?

Quote:

fwlogwatch summary

Generated Friday March 23 11:27:55 CET 2012 by root.
2286 (and 196 older than 86400 seconds) of 42358 entries in 2 input files are packet logs, 2272 have unique characteristics.
First packet log entry: Mar 22 11:31:00, last: Mar 23 09:06:46.

All entries were logged by the same host: "h1870666".
All entries have the same target: "-".
Only the top 50 entries are shown.
# chain interface source hostname destination hostname
3 [122722.930349] ** IN_TCP DROP ** eth0 221.192.199.49 - 85.214.229.212 h1870666.stratoserver.net
3 [136088.195078] ** IN_TCP DROP ** eth0 221.192.199.49 - 85.214.229.212 h1870666.stratoserver.net
3 [152954.629189] ** IN_TCP DROP ** eth0 58.218.199.227 - 85.214.229.212 h1870666.stratoserver.net
2 [90808.046695] ** IN_TCP DROP ** eth0 58.218.199.227 - 85.214.229.212 h1870666.stratoserver.net
2 [93661.021160] ** IN_TCP DROP ** eth0 221.192.199.49 - 85.214.229.212 h1870666.stratoserver.net
2 [100365.631003] ** IN_TCP DROP ** eth0 221.192.199.49 - 85.214.229.212 h1870666.stratoserver.net
2 [101198.482939] ** IN_TCP DROP ** eth0 58.218.199.227 - 85.214.229.212 h1870666.stratoserver.net