RE: [suse-security] susefirewall2 logfile entry
hi
From: Wolfgang Schaefer [mailto:wolfgang@schaefers-hope.de]
how can i change the logfile entry's to the old style? since 3 month i have suse8 and susefirewall2 in use. all works fine, but the style of the logfile entry's is not the same like susefirewall"1" !!
SuSEfirewall1 used ipchains and susefirewall2 uses iptables. I don't think that the log format can be changed.
but, why is there an parameter FW_LOG="..." ?? the logfile are very confused, how can i make it easily too understand?
have nobody read the firewall-log anytime ! strange! or, nobody uses the SuSEfirewall2 ?
well, i don't think it's a matter of not using suse-firewall2 or not reading the logs but accepting the new iptables log-format :-) there is the parameter FW_LOG, which uses iptables logging options like --log-level etc. if you want to adapt your log-format read 'man iptables' and search for LOG to get an overview of available log-options and pick those you need. regards, stefan
how can i change the logfile entry's to the old style? since 3 month i have suse8 and susefirewall2 in use. all works fine, but the style of the logfile entry's is not the same like susefirewall"1" !! SuSEfirewall1 used ipchains and susefirewall2 uses iptables. I don't think that the log format can be changed. well, i don't think it's a matter of not using suse-firewall2 or not reading the logs but accepting the new iptables log-format :-)
1) Nice about the new format is that is is more formal and thus easier to process automatically. 2) Less nice (to my strained eye :>) is that the entries tend to align less than the IPCHAINS log. Thus making it harder to quick scan large amounts of log. I still did not find any tool I trust to find every anomaly (be it user inconvenience, attempts at hacking or rule weaknesses) thinkable. That said I would combine 1) and 2) to write a small (probably awk, less than 10% of perl package size) program that parses the log, present it more humainly in a temp file and let me have a ball at it with vim. Not less because I tend to make the volume more manageble by deleting stuff I consider no-problem (like right now port 1433 = M$ SqlServer or port 80). No, I did not write that script (yet). Am too busy going though those louzy IPTABLES logs ;^) Peter
13.06.2002 10:53:21, Peter van den Heuvel
how can i change the logfile entry's to the old style? since 3 month i have suse8 and susefirewall2 in use. all works fine, but the style of the logfile entry's is not the same like susefirewall"1" !! SuSEfirewall1 used ipchains and susefirewall2 uses iptables. I don't think that the log format can be changed. well, i don't think it's a matter of not using suse-firewall2 or not reading the logs but accepting the new iptables log-format :-)
1) Nice about the new format is that is is more formal and thus easier to process automatically. 2) Less nice (to my strained eye :>) is that the entries tend to align less than the IPCHAINS log. Thus making it harder to quick scan large amounts of log. I still did not find any tool I trust to find every anomaly (be it user inconvenience, attempts at hacking or rule weaknesses) thinkable.
That said I would combine 1) and 2) to write a small (probably awk, less than 10% of perl package size) program that parses the log, present it more humainly in a temp file and let me have a ball at it with vim. Not less because I tend to make the volume more manageble by deleting stuff I consider no-problem (like right now port 1433 = M$ SqlServer or port 80).
No, I did not write that script (yet). Am too busy going though those louzy IPTABLES logs ;^)
Peter
hi to all i have nerved, ...now i have found what i am looking for! http://loggrep.sourceforge.net/ http://hr.uoregon.edu/davidrl/iptables.html i haven't tested the tools allready, but i will do this tonight!
participants (3)
-
Peer Stefan -
Peter van den Heuvel -
Wolfgang Schaefer