Re: IPtables log summary?
On Thu, Apr 25, 2002 at 10:38:43AM -0500, Kenneth Pronovici wrote:
> I use logcheck right now to analyze my logs on an hourly basis. As it
> turns out, the iptables entries (about denied connections, etc.) are
> most of what's in the logcheck emails. This is a little tiring because
> a lot of the time, I don't do anything based on these entries. I know
> I sometimes miss other entries in the middle of a pile of iptables
> entries, too.
>
> What I'd like to do is filter these iptables entries out of the logcheck
> emails (which is easy), but I don't want to lose the information
> entirely. What I want is a daily summary of iptables problems, i.e.
> number of denied connections, list of the hosts that were disallowed,
> list of the closed ports that were hit, etc., etc. If I see something
> disturbing, I'll go back and look at the logs for specifics.
>
> Can anyone suggest an existing package that does this? Anyone out there
> written a home-grown script that sounds like this?
I've not used it, but in looking for another package (!) I found fwlogwatch:
Description: Firewall log analyzer
fwlogwatch produces ipchains, netfilter/iptables, ipfilter, Cisco IOS and
Cisco PIX log summary reports in text and HTML form and has a lot of
options to find and display relevant patterns in connection attempts. With
the data found it can also generate customizable incident reports from a
template and send them to abuse contacts at offending sites or CERT
coordination centers. Finally, it can also run as daemon and report
anomalies or start countermeasures.
might be worth looking at?
Gareth
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: