[ previous ] [ next ] [ threads ]
 
 From:  "Pat Ellison" <pat at zbit dot net>
 To:  "Chet Harvey" <chet at pittech dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] M0N0Wall Syslog Client
 Date:  Thu, 19 Aug 2004 10:34:17 -0400 
True, but it's not real time. I was using kiwi and the lack of formatting
was making me have to concentrate hard to see what was happening.
color coding would be the greatest.

BTW.. give me the CREATE TABLE TSql statement for your SQL Logs and
then if we use the same format then you would be able to use this out of the
box if you like it..

-Pat
my Primary goal is formatted, realtime Syslog viewing

-----Original Message-----
From: Chet Harvey [mailto:chet at pittech dot com]
Sent: Thursday, August 19, 2004 10:27 AM
To: Pat Ellison
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] M0N0Wall Syslog Client


this could all be accomplised using syslog-ng (or syslog if you dont mind
unencrypted UDP) to an ACID reporting server. I am not a fan of reinventing
the
wheel but I know you programming geeks love to play =)

Right now I have my m0n0's piping logs via encrypted stunnel using certs for
auth then dumping to mySQL for reporting.

Someday when I get the time I will put this all together to share.

Chet Harvey
Pitbull Technologies <http://www.pittech.com/>
Protecting your Digital Assets
703.407.7311


Quoting Pat Ellison <pat at zbit dot net>:

> I'm looking to write a killer .Net Syslog exclusive for M0N0Wall with
> formatted output
> for a realtime display. Maybe export to SQL, Alerts... etc all the
goodies.
> I already have many IP projects that run 24/7 without fail on my Socket
> class so the
> Comm is already written and surly tested so writting this app will be
almost
> trivial.
>
> I also plan to post the source code so that others can make changes it
they
> like.
> My goal is really to give me the same look as if this was just an
extention
> of M0N0Wall
> except it is in real time and runs on a client. I desire to use the same
> great color scheme.
>
> To do this I need help with a few items. reading the raw logs there are a
> few items that I
> am not sure of in their meaning.. Please help me with the description of
> these items.
>
> Also if anybody would be gracious enough to send me any weird lines that
> they get that is
> out of the norm such as this one I came accross.
>
> 09:16:50.302903 rl0 @0:17 b 217.81.173.76 -> 9.3.18.20 PR icmp len 20 56
> icmp unreach/port for 9.3.18.20,13794 - 192.168.0.34,4675 PR udp len 20 61
> IN
>
>
> 09:26:54.775565 rl0 @0:15 b 68.248.200.13,63021 -> 9.3.18.20,13802 PR tcp
> len 20 40 -AR IN
> |-Time---------| IF  ?    ?   Src        , Port      Dest   , Port ?  Prot
?
> ?  ?  ?   ?
>
> -S   ? Are these TCP packet flags?  Ack Syn etc?
> -AF  ?
> -AFP ?
> -AP  ?
>
>
> -Pat
>
>
> 09:24:41.188275 rl0 @0:17 b 66.132.253.215,3928 -> 69.33.178.214,1080 PR
tcp
> len 20 48 -S IN
> 09:24:40.950029 rl0 @0:17 b 66.132.253.215,3913 -> 9.3.18.20,1080 PR tcp
len
> 20 48 -S IN
> 09:24:38.009032 rl0 @0:17 b 66.132.253.215,3918 -> 69.33.178.211,1080 PR
tcp
> len 20 48 -S IN
> 09:24:38.008883 rl0 @0:17 b 66.132.253.215,3913 -> 9.3.18.20,1080 PR tcp
len
> 20 48 -S IN
> 09:24:34.239139 rl0 @0:17 b 69.42.65.104,52200 -> 9.3.18.20,113 PR tcp len
> 20 60 -S IN
> 09:23:29.132812 rl0 @0:15 b 82.120.24.40,3792 -> 192.2.3.4,4201 PR tcp len
> 20 40 -AF IN
> 09:22:53.943146 rl0 @0:17 b 202.105.21.247,1055 -> 69.33.178.212,1434 PR
udp
> len 20 404 IN
> 09:22:38.114079 rl0 @0:15 b 82.120.24.40,3792 -> 192.2.3.4,4201 PR tcp len
> 20 40 -AF IN
> 09:22:12.159733 rl0 @0:15 b 82.120.24.40,3792 -> 192.2.3.4,4201 PR tcp len
> 20 40 -AF IN
> 09:21:15.131251 rl0 @0:17 b 69.42.65.104,46234 -> 9.3.18.20,113 PR tcp len
> 20 60 -S IN
> 09:20:54.143636 rl0 @0:17 b 69.42.65.104,46234 -> 9.3.18.20,113 PR tcp len
> 20 60 -S IN
> 09:16:50.302903 rl0 @0:17 b 217.81.173.76 -> 9.3.18.20 PR icmp len 20 56
> icmp unreach/port for 9.3.18.20,13794 - 192.168.0.34,4675 PR udp len 20 61
> IN
> 09:14:39.252967 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp
len
> 20 239 -AFP IN
> 09:14:31.523658 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp
len
> 20 108 -AFP IN
> 09:13:18.484451 rl0 @0:17 b 83.31.83.69,2214 -> 69.33.178.214,135 PR tcp
len
> 20 48 -S IN
> 09:13:15.498901 rl0 @0:17 b 83.31.83.69,2214 -> 69.33.178.214,135 PR tcp
len
> 20 48 -S IN
> 09:13:05.394718 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp
len
> 20 108 -AFP IN
> 09:13:03.226206 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp
len
> 20 239 -AFP IN
> 09:12:25.151444 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp
len
> 20 40 -AF IN
> 09:12:23.501803 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp
len
> 20 40 -AF IN
> 09:12:15.321926 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp
len
> 20 239 -AP IN
> 09:12:13.738375 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp
len
> 20 108 -AP IN
> 09:11:51.260291 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp
len
> 20 239 -AP IN
> 09:11:50.235581 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp
len
> 20 108 -AP IN
> 09:11:40.666172 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp
len
> 20 108 -AP IN
> 09:11:39.230193 rl1 @0:15 b 192.2.3.4,4201 -> 62.39.214.102,4227 PR tcp
len
> 20 239 -AP IN
> 09:11:36.593161 rl0 @0:15 b 62.39.214.102,4227 -> 192.2.3.4,4201 PR tcp
len
> 20 40 -A IN
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>