how to use fwlogwatch ?

Electronkz · 08-31-2004, 05:50 AM

I am trying to use fwlogwatch to see me firewall logs, i STFW and linuxquestions , but still i cant find an answer for my problem: how do i read the logs using fwlogwatch ?
i found this thread: http://www.linuxquestions.org/questi...hreadid=169186
but there is no anser to it:

i have tryied : 1) fwlogwatch
2) fwlogwatch > log.html
3) fwlogwatch -v -n -N -b -t -e -z -w -o fwlog.html -R
4) fwlogwatch #after i edited /etc/fwlogwatch.config

1) , 2) , 4) display the same thing:

Code:

[root@localhost doc]# fwlogwatch
fwlogwatch summary
Generated Tuesday August 31 02:35:58 UYT 2004 by root.
0 of 518 entries in the file "/var/log/messages" are packet logs, 0 have unique characteristics.
No valid time entries found.
All entries were logged by the same host: "".
All entries are from the same chain: "".
All entries have the same target: "".
All entries are from the same interface: "".

3) displays:

Code:

[root@localhost electronkz]# fwlogwatch -v -n -N -b -t -e -z -w -o fwlog.html -R
Opening configuration file '/etc/fwlogwatch.config'
Closing '/etc/fwlogwatch.config'

which is why in number 4) i edited the config file, to see if i made it work,

As you can see, i have never used this program, so most probably it is dumb thing that i am missing or doing wrong, but i will really appreciate if any could help me out with this, i have spent like 5 hours on this, i checked the mailing list of fwlofwatch, but i cant find anything related to my problem. As i said i am trying to read my logs in html, and also will like to know how to make fwlogwatch work in realtime response.
Thanks in advance,

Electronkz · 09-02-2004, 07:39 AM

Well, i got it to work,
Finally, after a lot of research, i kind of understand how to use it.
First, edit you firewall script, if you are using rc.fireall, ( like me) search a variable named LOGGING="no" and change it to yes.
I dont know why, it comes as no as default.
Then, edit /etc/syslog.conf
and add this line:
# Log all firewall messages to /var/log/firewall
kern.info /var/log/firewall

Note: the file firewall dont exists, you´ve to create it, read below.
Then, go to /var/log/firewall
and type this: touch /var/log/firewall
===============================
Ok, now lets get fwlogwatch working.

First, i recommend to you to " man fwlogwatch"
In case that you already read it, or you´re just to lazy:
Edit: /etc/fwlogwatch.config

This are some extracts of my fwlogwatch.config file to use as an example:
Note: what i didnt posted here i just didnt edited them

Code:

### Global options ###
# Use 'verbose' if you want extra information and log messages.
# Use it twice for even more info. fwlogwatch is quiet by default.
# Command line option: -v[v]
#
verbose = yes
verbose = yes  
# Specify the input file(s) if you don't want to use the default. Use one line
# for each file. Compressed files (gzip) are supported. You can use '-' for
# standard input (stdin).  In realtime response mode the daemon needs the
# absolute path to the file.
# Command line option: [file(s)]
#
input = /var/log/firewall    

# The following six options define which criteria will be considered when
# comparing logged packets. You can turn off the source or destination IP
# address distinction ('src_ip'/'dst_ip') or activate the protocol, source
# and destination port and TCP option distinction
# ('protocol'/'src_port'/'dst_port'/'tcp_opts').
# Command line options: -S / -D / -p / -s / -d / -y
#
src_ip = on
dst_ip = on
protocol = on
src_port = on
dst_port = on
tcp_opts = on  

# With the following four options you can customize the colors of the HTML
# output (summary and realtime response status page), use the RGB value
# with '#' or directly one of the 16 basic HTML color names (aqua black
# blue fuchsia gray green lime maroon navy olive purple red silver teal
# white yellow).
#
textcolor = white
bgcolor = black
rowcolor1 = #555555
rowcolor2 = #333333   
### Log summary mode ###
# Use 'data_amount' if you want so see the sum of total packet lengths for
# each entry (this obviously only works with log formats that contain this
# information).
# Command line option: -b
#
data_amount = yes

# Use 'start_times' and/or 'last times' if you want to see the timestamp
# of the first and/or last logged packet of each entry.
# Command line options: -t / -e
#
start_times = yes
end_times = yes        duration = yes

# Use 'html' to enable HTML output.
# Command line option: -w
#

Now you should test fwlogwatch, edit fwlogwatch again, and where it says, output file= <enter here you testlog.txt>
Note this is just for testing, you can comment it back after the test finish(or leave like that, it is up to you)

now, run fwlogwatch , and check the testlog.txt, you created, you should see some logs of you firewall, if not, then something is wrong, check it.
Great, you have fwlogwatch working.
=======================
Create a cron job for fwlogwatch, and send the output as an email to you.
as root, type crontab -e #you will add all your cron tasks here
(in FC2, it uses vi as the text editor, vi is great

)
In case you dont know how to use vi: press "i" (insert) to start writting, now add this line:
#!/bin/bash
10 3 * * * fwlogwatch -U "fwlogwatch Report" -T youremail@server.com
press "ESC" and ZZ to save and exit
This will run fwlogwatch every day, at 03:10 and send an email of the report to your emai account

Done!
Recommendations:
You should use chkrootkit, to search for rootkits on you linuxbox, http://www.chkrootkit.org/
This will help you interpret what you are reading, and also to know if you are being attacked, or whatever

Well, that is pretty much it!
Hope it will help you, if you have any problem or suggestion, just post,

Regards,
|||Electronkz|||
Linux Registered User #344616