[Dshield] Shorewall log parser?

Wayne Larmon wlarmon at dshield.org
Thu Nov 14 17:22:12 GMT 2002


> Errata: I just saw what I wrote below - I have a natural gift for
> writing wrong paths - it's obviously not /etc/messages but
> /var/log/messages.
>
> BTW (and this is more or less off-topic), I get such log entries both in
> messages and in syslog. Should I expect them to be different? Is one
> recommended for parsing over the other? Or should I somehow merge them
> prior to parsing?

I'm not sure what Shorewall is doing.  In the versions of Linux that I'm
familiar with, everything goes to /var/log/messages.  There is no "syslog"
file.  It is up to you to add extra critera to /etc/syslog.conf to direct
certain log lines to go to other log files.  Did Shorewall do something like
this?  To direct the iptables log lines to a different log file, in addition
to going to /var/log messages?

If they did do this, and the log lines are going to both /var/log/messages
and to a syslog file, then you only want to process from one of them, so
that you aren't sending us duplicate log lines.

> Anyway, dshieldpy seems to be working, so I'll use that if you're going
> to tell me that line looks right (didn't want to start sending logs
> before making sure they're properly formatted). The last "2" on the
> second line in my previous line shouldn't be there - I accidentally
> copied the first character on the next line.

This looks correct

2002-11-13 11:26:20 +02:00	59254230	12	200.31.37.65	2686	217.156.116.130	21
TCP	S

Send them in.

Wayne Larmon
DShield.org


>
> Wayne Larmon wrote:
>
> >>Yes, that's the first thing I tried - didn't work. The problem is I
> >>don't know how pure iptables logs look like. Here's how a Shorewall
> >>entry looks like in my /etc/messages (told you I'm a newbie - please let
> >>me know if I'm looking in the wrong place):
> >>
> >>Nov 10 02:34:39 bogdan kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
> >>MAC=52:54:05:e5:67:42:00:02:44:4f:2b:9b:08:00 SRC=213.224.93.36
> >>DST=217.156.116.130 LEN=48 TOS=0x00 PREC=0x80 TTL=112 ID=34579 DF
> >>PROTO=TCP SPT=1334 DPT=3042 WINDOW=8192 RES=0x00 SYN URGP=0
> >>
> >>
> >
> >This is correct.  This is an iptables log line.  I just tried
> our Framework
> >iptables script on this line, and it converted it OK.
> >
> >http://www.dshield.org/framework.html
> >
> >If you are having configuration problems with this client, contact me off
> >list.
> >
> >Wayne Larmon
> >wlarmon at dshield.org
> >DShield.org
> >
> >
> >
> >>Wayne Larmon wrote:
> >>
> >>
> >>
> >>>>Hello everybody!
> >>>>
> >>>>I'm a newbie, so please don't flame if I happen to ask the wrong
> >>>>question - looked for an answer both on dshield's site and on
> Google and
> >>>>haven't found it...
> >>>>
> >>>>...And the question obviously is: is there any readily available
> >>>>Shorewall log parser for dshield?
> >>>>
> >>>>
> >>>>
> >>>>
> >>>http://www.shorewall.net/ says that it uses iptables.  Have you
> >>>
> >>>
> >>tried one of
> >>
> >>
> >>>our iptables scripts?
> >>>
> >>>http://www.dshield.org/framework.html
> >>>
> >>>or http://www.dshield.org/linux_clients.html#dshieldpy
> >>>
> >>>
> >>>Wayne Larmon
> >>>DShield.org
> >>>
> >>>
> >>>_______________________________________________
> >>>Dshield mailing list
> >>>Dshield at dshield.org
> >>>To change your subscription options (or unsubscribe), see:
> >>>
> >>>
> >>http://www.dshield.org/mailman/listinfo/list
> >>
> >>
> >>>
> >>>
> >>>
> >>_______________________________________________
> >>Dshield mailing list
> >>Dshield at dshield.org
> >>To change your subscription options (or unsubscribe), see:
> >>http://www.dshield.org/mailman/listinfo/list
> >>
> >>
> >>
> >
> >
> >_______________________________________________
> >Dshield mailing list
> >Dshield at dshield.org
> >To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> >
> >
> >
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>





More information about the list mailing list