You are able to install it directly on the firewall, and have it look into your "live" logs, /var/log/messages, /var/log/warn, etc. Then you could scp the html output across to your apache box for easy viewing. Alternatively, you could install it on your apache box, then export your logs with a logrotate from your FW to the apache box. Once imported you would run the fwlogwatch on these logs, creating the html. Either way is good, depending if you are looking for an end-of-day total of events, or an "as-live" update to the html. I personally use both methods in different organisations. One, updates every 15 minutes, with snort_stat.pl doing an "as-events-happen" update from a swatch script. I also have several unconnected FW boxes doing a midnight fwlogwatch process and then sending via scp with private/public keys to a centralized apache server. Hope it all goes well and cuts down on your "tail -f" when complete. Richard. On Saturday 07 December 2002 18:07, Olafur Gardarsson wrote:
Thanks Richard and others that responded to my question. I downloaded the program and will be installing it as soon as I can. I have pureftp and apache on a box in my DMZ, should I install the program there or on the FW box?
Kind regards,
Oli
-----Original Message----- From: Richard King [mailto:rking@generationtechnology.co.uk] Sent: 6. desember 2002 19:42 To: suse-security@suse.com Subject: Re: [suse-security] Analyzing FW logs
It's still especially good with iptables, as I posted yesterday, as opposed to ipchains. The iptable rules can pick up far more flags than ipchains sets, and can record more chains than just ipchains target of deny or reject. On the whole, I believe you should really run it in conjunction with snort and snort_stat.pl to put your snort results into html, then you can really see what's been trying to get in and out of your network through a browser. At least one of the Top Level Domains uses this technique.
All the best.
On Friday 06 December 2002 17:43, Ed Coates wrote:
Quoting Olafur Gardarsson <oli@itn.is>:
To those who have some experience in working with/analyzing Firewall
logs. Are there any software packages out there you can recommend?
Regards,
Oli
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
fwlogwatch is an excellent tool for analyzing firewall logs from either ipchains or iptables. It will also spit out html format files
to view on a web page.
Ed
------------------------------------------------- This mail sent through IMP: http://horde.org/imp/
-------------------------------------------------------