[ previous ] [ next ] [ threads ]
 
 From:  Chet Harvey <chet at pittech dot com>
 To:  Pat Ellison <pat at zbit dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] M0N0Wall Syslog Client
 Date:  Thu, 19 Aug 2004 10:27:20 -0400
this could all be accomplised using syslog-ng (or syslog if you dont mind 
unencrypted UDP) to an ACID reporting server. I am not a fan of reinventing the 
wheel but I know you programming geeks love to play =)

Right now I have my m0n0's piping logs via encrypted stunnel using certs for 
auth then dumping to mySQL for reporting. 

Someday when I get the time I will put this all together to share. 

Chet Harvey
Pitbull Technologies <http://www.pittech.com/> 
Protecting your Digital Assets
703.407.7311


Quoting Pat Ellison <pat at zbit dot net>:

> I'm looking to write a killer .Net Syslog exclusive for M0N0Wall with
> formatted output
> for a realtime display. Maybe export to SQL, Alerts... etc all the goodies.
> I already have many IP projects that run 24/7 without fail on my Socket
> class so the
> Comm is already written and surly tested so writting this app will be almost
> trivial.
> 
> I also plan to post the source code so that others can make changes it they
> like.
> My goal is really to give me the same look as if this was just an extention
> of M0N0Wall
> except it is in real time and runs on a client. I desire to use the same
> great color scheme.
> 
> To do this I need help with a few items. reading the raw logs there are a
> few items that I
> am not sure of in their meaning.. Please help me with the description of
> these items.
> 
> Also if anybody would be gracious enough to send me any weird lines that
> they get that is
> out of the norm such as this one I came accross.
> 
> 09:16:50.302903 rl0 @0:17 b 217.81.173.76 -> 9.3.18.20 PR icmp len 20 56
> icmp unreach/port for 9.3.18.20,13794 - 192.168.0.34,4675 PR udp len 20 61
> IN
> 
> 
> 09:26:54.775565 rl0 @0:15 b 68.248.200.13,63021 -> 9.3.18.20,13802 PR tcp
> len 20 40 -AR IN
> |-Time---------| IF  ?    ?   Src        , Port      Dest   , Port ?  Prot ?
> ?  ?  ?   ?
> 
> -S   ? Are these TCP packet flags?  Ack Syn etc?
> -AF  ?
> -AFP ?
> -AP  ?
> 
> 
> -Pat
> 
> 
> 09:24:41.188275 rl0 @0:17 b 66.132.253.215,3928 -> 69.33.178.214,1080 PR tcp
> len 20 48 -S IN
> 09:24:40.950029 rl0 @0:17 b 66.132.253.215,3913 -> 9.3.18.20,1080 PR tcp len
> 20 48 -S IN
> 09:24:38.009032 rl0 @0:17 b 66.132.253.215,3918 -> 69.33.178.211,1080 PR tcp
> len 20 48 -S IN
> 09:24:38.008883 rl0 @0:17 b 66.132.253.215,3913 -> 9.3.18.20,1080 PR tcp len
> 20 48 -S IN
> 09:24:34.239139 rl0 @0:17 b 69.42.65.104,52200 -> 9.3.18.20,113 PR tcp len
> 20 60 -S IN
> 09:23:29.132812 rl0 @0:15 b 82.120.24.40,3792 -> 192.2.3.4,4201 PR tcp len
> 20 40 -AF IN
> 09:22:53.943146 rl0 @0:17 b 202.105.21.247,1055 -> 69.33.178.212,1434 PR udp
> len 20 404 IN
> 09:22:38.114079 rl0 @0:15 b 82.120.24.40,3792 -> 192.2.3.4,4201 PR tcp len
> 20 40 -AF IN
> 09:22:12.159733 rl0 @0:15 b 82.120.24.40,3792 -> 192.2.3.4,4201 PR tcp len
> 20 40 -AF IN
> 09:21:15.131251 rl0 @0:17 b 69.42.65.104,46234 -> 9.3.18.20,113 PR tcp len
> 20 60 -S IN
> 09:20:54.143636 rl0 @0:17 b 69.42.65.104,46234 -> 9.3.18.20,113 PR tcp len
> 20 60 -S IN
> 09:16:50.302903 rl0 @0:17 b 217.81.173.76 -> 9.3.18.20 PR icmp len 20 56
> icmp unreach/port for 9.3.18.20,13794 - 192.168.0.34,4675 PR udp len 20 61
> IN
> 09:14:39.252967 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp len
> 20 239 -AFP IN
> 09:14:31.523658 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp len
> 20 108 -AFP IN
> 09:13:18.484451 rl0 @0:17 b 83.31.83.69,2214 -> 69.33.178.214,135 PR tcp len
> 20 48 -S IN
> 09:13:15.498901 rl0 @0:17 b 83.31.83.69,2214 -> 69.33.178.214,135 PR tcp len
> 20 48 -S IN
> 09:13:05.394718 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp len
> 20 108 -AFP IN
> 09:13:03.226206 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp len
> 20 239 -AFP IN
> 09:12:25.151444 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp len
> 20 40 -AF IN
> 09:12:23.501803 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp len
> 20 40 -AF IN
> 09:12:15.321926 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp len
> 20 239 -AP IN
> 09:12:13.738375 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp len
> 20 108 -AP IN
> 09:11:51.260291 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp len
> 20 239 -AP IN
> 09:11:50.235581 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp len
> 20 108 -AP IN
> 09:11:40.666172 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp len
> 20 108 -AP IN
> 09:11:39.230193 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp len
> 20 239 -AP IN
> 09:11:36.593161 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp len
> 20 40 -A IN
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>