In <[EMAIL PROTECTED]>, Jonas Lundberg
<[EMAIL PROTECTED]> writes:
> I've been trying to write a logformat string to analyze the output from out
> firewall, a Sonicwall. I'm getting nowhere. Maybe someone already has done
> this, the log looks like this:
>
> 03/28/2002 10:38:20.832 - TCP connection dropped -
> Source:195.58.198.99, 4410, WAN - Destination:123.456.789.012, 80, LAN -
> 'Web (HTTP)' - Rule 3
> 03/28/2002 10:39:40.224 - TCP connection dropped -
> Source:195.58.198.99, 1311, WAN - Destination:123.456.789.012, 80, LAN -
> 'Web (HTTP)' - Rule 6
>
> Every line starts with the date, there are also a couple of tabs in there.
> The most interesting would be to see how many source IPs there are for the
> past few days.
Probably the easiest way is to pipe the firewall log through a simple filter,
something like
#!/usr/bin/perl
use strict;
my %mon = (
1 => 'Jan',
2 => 'Feb',
3 => 'Mar',
4 => 'Apr',
5 => 'May',
6 => 'Jun',
7 => 'Jul',
8 => 'Aug',
9 => 'Sep',
10 => 'Oct',
11 => 'Nov',
12 => 'Dec',
);
while(<>) {
if (m!^(\d\d)/(\d\d)/(\d\d\d\d)
(\d\d:\d\d:\d\d)\..*?Source:\s*(\d+\.\d+\.\d+\.\d+),.*Rule\s*(\d+)!) {
print "$5 - - [$2/$mon{$1+0}/$3:$4 -0000] \"GET /rule-$6 HTTP/1.0\"\n";
}
}
If you are interested in additional information from the firewall log, you
could add that to the URL, for example
GET /rule-3/sourceport-4410/destination-123.456.789.012/
--
Klaus Johannes Rusch
[EMAIL PROTECTED]
http://www.atmedia.net/KlausRusch/
+------------------------------------------------------------------------
| This is the analog-help mailing list. To unsubscribe from this
| mailing list, go to
| http://lists.isite.net/listgate/analog-help/unsubscribe.html
|
| List archives are available at
| http://www.mail-archive.com/[email protected]/
| http://lists.isite.net/listgate/analog-help/archives/
| http://www.tallylist.com/archives/index.cfm/mlist.7
+------------------------------------------------------------------------
