13.06.2002 10:53:21, Peter van den Heuvel
how can i change the logfile entry's to the old style? since 3 month i have suse8 and susefirewall2 in use. all works fine, but the style of the logfile entry's is not the same like susefirewall"1" !! SuSEfirewall1 used ipchains and susefirewall2 uses iptables. I don't think that the log format can be changed. well, i don't think it's a matter of not using suse-firewall2 or not reading the logs but accepting the new iptables log-format :-)
1) Nice about the new format is that is is more formal and thus easier to process automatically. 2) Less nice (to my strained eye :>) is that the entries tend to align less than the IPCHAINS log. Thus making it harder to quick scan large amounts of log. I still did not find any tool I trust to find every anomaly (be it user inconvenience, attempts at hacking or rule weaknesses) thinkable.
That said I would combine 1) and 2) to write a small (probably awk, less than 10% of perl package size) program that parses the log, present it more humainly in a temp file and let me have a ball at it with vim. Not less because I tend to make the volume more manageble by deleting stuff I consider no-problem (like right now port 1433 = M$ SqlServer or port 80).
No, I did not write that script (yet). Am too busy going though those louzy IPTABLES logs ;^)
Peter
hi to all i have nerved, ...now i have found what i am looking for! http://loggrep.sourceforge.net/ http://hr.uoregon.edu/davidrl/iptables.html i haven't tested the tools allready, but i will do this tonight!