(ASCEND) Secure Access Firewall syslog parser (Perl 5)

To: ascend-users@bungi.com
Subject: (ASCEND) Secure Access Firewall syslog parser (Perl 5)
From: Lenny Tropiano <lenny@icus.com>
Date: Mon, 21 Sep 1998 15:44:02 -0500 (CDT)
Reply-To: lenny@icus.com
Sender: owner-ascend-users@max.bungi.com

After getting the Secure Access Firewall, and configuring syslog logging,
I was forever doing DNS matches and grep's of /etc/services to determine
the src/dest IPs and ports.  I decided I would write (as most good sysadmins
do) a Perl script to handle the parsing of this.  It's available for use,
freely (provided credit is given where due).  

	ftp://ftp.icus.com/pub/SAF/fwlog-1.3.tar.gz

Grab the gzip'd tar file, ungzip, untar, and read the README.  Edit the
Makefile for the appropriate locations to be installed and type: "make"

Constructive criticism and suggestions/additions are welcome, e-mail them
back to me at:  <lenny@icus.com>

Here's a little detail on it's usage:

fwlog:
	Parse Ascend's secure access firewall syslog messages, and print 
	more readable entries (with DNS and expanded port names if possible)

(c)1998 Lenny Tropiano <lenny@icus.com>, version 1.3

This was inspired by having a hard time to parsing the SAF logs.  You should
be able to just type "make" (as root) and it will install the appropriate
pieces (modify Makefile for correct paths).

ASCENDLOG=/var/log/ascend.log		(change in Makefile for logfile name)

Report bugs/suggestions/updates to <lenny@icus.com>, Lenny Tropiano

===============================================================================

Usage: fwlog [-cbnhtv] [-S ip[/bits]] [-D ip[/bits]] [-p port[/proto]] [-f log]
	IP notation(s):
		ip[/bits] ie. bits=/24
		ip[:mask]] ie. mask=255.255.255.0
		xx.xx.xx.xx	(assume /32)
		xx.xx.xx	(assume /24)
		xx.xx		(assume /16)
		xx		(assume /8)

Flags:

-c:	continuous examination of the log file (eg. tail -f)
-b:	only show blocked firewall entries
-n:	only show non-blocked firewall entries
-h:	the usage (help)
-t:	only display today's entries (based on date ran)
-v:	display verbose header info
-S:	display matches based on Source IP (and/or optional network)
-D:	display matches based on Destination IP (and/or optional network)
-P:	display matches based on port (with optional protocol)
-f:	specify another log filename


Examples:

$ fwlog
	(display all the entries, decoding DNS and service/port)

$ fwlog -S 206.225.37.0/29 -bvt
	(display all today's entries for the ICUS.COM netblock, 
	 decoding DNS and service/port, display verbose header)

$ fwlog -p 110/tcp -f /var/log/firewall.log
	(display only those tcp/pop3 entries found in /var/log/firewall.log)

$ fwlog -D 192.168 -v
	(display blocked entries from the 192.168.xx.xx/16 netblock)

$ fwlog -D 192.48.96.9 -p 21/tcp -nv
	(display all ftp entries from ftp.uu.net that were not blocked)


-- 
| Lenny Tropiano           ICUS Software Systems             lenny@icus.com |
+-------------------- URL:  http://www.icus.com/~lenny/ --------------------+
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Prev by Date: Re: (ASCEND) 6.1.7 Reboot no Fe.
Next by Date: Re: (ASCEND) DAMN 6.1.7
Prev by thread: Re: (ASCEND) DHCP on P50
Next by thread: (ASCEND) Caller id question.
Index(es):
- Main
- Thread