[ previous ] [ next ] [ threads ]
 
 From:  Bob McConnell <rmcconne at lightlink dot com>
 To:  Monowall User List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Log file format
 Date:  Mon, 04 May 2009 00:37:09 -0400
Chad R. Larson wrote:
> Bob McConnell wrote:
>> I set up m0n0wall about two months ago, and configured it to forward
>> syslog to a server on my LAN. I now have seven weeks of log files that I
>> would like to examine. I have started sketching out some Perl scripts to
>> analyze them, but I cannot find any documentation on the format of those
>> lines. Did I miss it somewhere? What do the fields mean and what is the
>> full set of flag values that I need to look for?
> 
> The logs are in a format (syslog) in wide use, and there are already a
> bunch of programs that will reduce them to tables and graphs.
> 
> Look at webalizer, for example.

Hi Chad,

Syslog files are free form text beyond the first three fields, or five 
in the case of remote logging. Everything else is defined and formatted 
by the application that sends those entries. Take this line for example:

Mar 29 05:05:42 172.16.0.10 ipmon[91]: 05:05:42.226506 ex0 @0:17 b 
58.241.178.213,6000 -> 24.58.18.216,2967 PR tcp len 20 40 -S IN

The first section, "Mar 29 05:05:42 172.16.0.10 ipmon[91]: ", shows the 
server time stamp, firewall IP address, process name, user and level. 
This portion is dictated by syslog conventions.

The next field appears to be the local time stamp from m0n0wall and the 
second line starts off with the source IP and port followed by the 
destination IP and port.

But what is the rest of that entry and what other values might I see in 
each of these fields?

"ex0 @0:17 b" = ??

"PR tcp len 20 40 -S IN" = ??

My initial plan is to select only lines with "ipmon[91]:" saving only 
the month and day from that portion. Then I want to parse the rest to 
determine what addresses are attacking my firewall, how often they hit 
it and what ports they are trying to access. I also want to find out how 
long after I shut down ktorrent before I stopped getting hits on those 
ports.

I'll take a look at webalizer, but I don't see anything about m0n0wall 
in its list of known formats. Neither do any of the other log analyzers 
I have looked at.

Thanks,

Bob McConnell
N2SPP