Chad R. Larson wrote:
> Bob McConnell wrote:
>> I set up m0n0wall about two months ago, and configured it to forward
>> syslog to a server on my LAN. I now have seven weeks of log files that I
>> would like to examine. I have started sketching out some Perl scripts to
>> analyze them, but I cannot find any documentation on the format of those
>> lines. Did I miss it somewhere? What do the fields mean and what is the
>> full set of flag values that I need to look for?
> The logs are in a format (syslog) in wide use, and there are already a
> bunch of programs that will reduce them to tables and graphs.
> Look at webalizer, for example.
Syslog files are free form text beyond the first three fields, or five
in the case of remote logging. Everything else is defined and formatted
by the application that sends those entries. Take this line for example:
Mar 29 05:05:42 172.16.0.10 ipmon: 05:05:42.226506 ex0 @0:17 b
22.214.171.124,6000 -> 126.96.36.199,2967 PR tcp len 20 40 -S IN
The first section, "Mar 29 05:05:42 172.16.0.10 ipmon: ", shows the
server time stamp, firewall IP address, process name, user and level.
This portion is dictated by syslog conventions.
The next field appears to be the local time stamp from m0n0wall and the
second line starts off with the source IP and port followed by the
destination IP and port.
But what is the rest of that entry and what other values might I see in
each of these fields?
"ex0 @0:17 b" = ??
"PR tcp len 20 40 -S IN" = ??
My initial plan is to select only lines with "ipmon:" saving only
the month and day from that portion. Then I want to parse the rest to
determine what addresses are attacking my firewall, how often they hit
it and what ports they are trying to access. I also want to find out how
long after I shut down ktorrent before I stopped getting hits on those
I'll take a look at webalizer, but I don't see anything about m0n0wall
in its list of known formats. Neither do any of the other log analyzers
I have looked at.