MAN page from Mandrake 9.X fwlogwatch-0.9-1mdk.i586.rpm


Section: Maintenance Commands (8)
Updated: 25 July 2002


fwlogwatch - a firewall log analyzer, report generator and realtime response agent 




fwlogwatchproduces Linux ipchains, Linux netfilter/iptables, Solaris/BSD/Irix/HP-UXipfilter, Cisco IOS, Cisco PIX, NetScreen, Windows XP firewall, Elsa Lancomrouter and Snort IDS log summary reports in plain text and HTML form andhas a lot of options to analyze and display relevant patterns. It canproduce customizable incident reports and send them to abuse contacts atoffending sites or CERTs. Finally, it can also run as daemon (with webinterface) doing realtime log monitoring and reporting anomalies orstarting attack countermeasures.



These options are independent from the main modes of operation.
Show the available options.
-L file
Show time of the first and the last log entry in the inputfilewhich can be a compressed or plain log file. Summary mode will show thetime of the first and last packet log entry, this log times modewill show the time of the first and last entry overall.
Show version and copyright information and the options used to compilefwlogwatch.


The global options for all modes are:
-c config
Use the alternate configuration fileconfiginstead of the default configuration file/etc/fwlogwatch.config(which does not need to exist). Only options not specified in the files canbe overridden by command line options.
Do not differentiate destination IP addresses. Useful for finding scans inwhole subnets.
Differentiate destination ports.
-f file
Specify an input file (defaults to/var/log/messages). Relevant entries are automatically detected so combined log files (e.g.from a log host) are no problem. Compressed files are supported (except inrealtime response mode). The '-' sign may be used for reading from standardinput (stdin). In realtime response mode the file needs to be specified withfull path since the daemon is rooted in /.
-M number
If you only want to see a fixed maximum amount of entries (e.g. the "top 20")this option will trim the output for you.
-m count
When analyzing large amounts of data you usually aren't interested in entriesthat have a small count. You can hide entries below a certain threshold withthis option.
Enable service lookups. Port numbers will be looked up in /etc/services.
Enable DNS lookups. Host names will be resolved (reverse and forward lookupwith a warning if they don't match). This makes summary generation veryslow if a lot of different hosts appear in the log file. Resolved host namesare cached.
-O order
This is the sort order of the summary and packet cache. Since entries oftenare equal in certain fields you can sort by several fields one after another(the sort algorithm is stable, so equal entries will remain sorted in theorder they were sorted before). The sort string can be composed of up to 11fields of the formabwhereais the sort criteria:ccount,tstart time,eend time,zduration,ntarget name,pprotocol,bbyte count (sum of total packet lengths),Ssource host,ssource port,Ddestination host andddestination port.bis the direction:aascending andddescending.Sorting is done in the order specified, so the last option is the primarycriteria. The default in summary mode istacd(start with the highest count, if two counts match list the one earlier intime first) of whichtais built in, so if you specify an empty sort string or everything else isequal entries will be sorted ascending by time. The realtime response modedefault iscd(tais not built in).
-P format
Only use certain parsers, where the logformatcan be one or a combination of:iipchains,nnetfilter,fipfilter,cCisco IOS,pCisco PIX,eNetScreen,wWindows XP,lElsa Lancom andsSnort. The default is to use all parsers except the ones for NetScreen,Windows XP, Elsa Lancom and Snort logs.
Differentiate protocols. This is activated automatically if youdifferentiate source and/or destination ports.
Differentiate source ports.
Be verbose. You can specify it twice for more information.In very verbose mode while parsing the log file you will see "." forrelevant packet filter log entries, "r" for 'last message repeated' entriesconcerning packet filter logs, "o" for packet filter log entries that aretoo old and "_" for entries that are not packet filter logs.
Differentiate TCP options. All packets with a SYN are listed separately,other TCP flags are shown in full format if they are available (ipchainsdoes not log them, netfilter and ipfilter do, Cisco IOS doesn't even log SYNs).


This are additional options that are only available in log summary mode:
Show the amount of data in bytes this entry represents, this is the sum oftotal packet lengths of packets matching this rule (obviously only availablefor log formats that contain this information).
Show timestamp of last packet logged. End times are only available ifthere is more than one packet log entry with unique characteristics.
-l time
Process recent events only. SeeTIME FORMATbelow for the time options.
-o file
Specify an output file.
Do not differentiate source IP addresses.
Show timestamp of first packet logged.
Look up information about the source addresses in the whois database. Thisis slow, please don't stress the registry with too many queries.
Produce output in HTML format.
Show time interval between start and end time of packet log entries. Thisis only available if there is more than one packet log entry with uniquecharacteristics.


The interactive report mode is a summary mode extension with thefollowing additional options:
-i count
Enter interactive report mode.countis the minimum number of log entries you want to start reporting at. Asummary of the corresponding entries will be shown and a report generatedfor each one. The more of the options above you use the more fields of thereport will be filled in.
-F email
This is the address the email containing the report will be sent from.
-T email
This is the email address of the abuse contact or CERT the report will besent to. When used in log summary mode the summary will be sent to thisaddress.
-C email
These email recipients will get a carbon copy of the report (e.g. for yourarchives).
-I file
Template file for report (defaults to/etc/fwlogwatch.template).


Enter realtime response mode. This means: detach and run as daemon untilthe TERM signal (kill) is received. The HUP signal forces a reload of theconfiguration file, the USR1 signal forces fwlogwatch to reopen and read theinput file from the beginning (useful e.g. for log rotation). All outputcan be followed in the system log.
-a count
Alert threshold. Notify or start countermeasures if this limit is reached.Defaults to 5.
-l time
Forget events that happened this long ago (defaults to 1 day). SeeTIME FORMATbelow for the time options.
-k IP/net
This option defines a host or network in CIDR notation that will never beblocked or other actions taken against. To specify more than one, use the-k parameter again for each IP address or network you want to add.
The notification script is invoked when the threshold is reached. A fewexamples of possible notifications are included in fwlw_notify, you can addyour own ones as you see fit.
The response script is invoked when the threshold is reached. Using theexample script fwlw_respond this will block the attacking host with a newfirewall rule. A new chain forfwlogwatchactions is inserted in the input chain and block rules added as needed.The chain and its content is removed iffwlogwatchis terminated normally. The example scripts contain actions for ipchainsand netfilter, you can modify them or add others as you like.
Activate the internal web server to monitor the current status of the program.Use the configuration file to change it's options. The default user name isadminand the default password isfwlogwat(since DES can only encrypt 8 characters). By default it listens on port888 and only allows connections from localhost.


Time is specified asnxwherenis a natural number andxis one of thefollowing:sfor seconds (this is the default),mfor minutes,hfor hours,dfor days,wfor weeks,Mfor months andyfor years. 


Default configuration file.
Default template for incident reports.
Default input log file.
Default PID file generated by the daemon in realtime response mode ifconfigured to do so.


The following features are only available in the configuration file and noton the command line, they are presented and explained in more detail in thesample configuration file.
Selection and exclusion
Specific hosts, ports, chains and branches (targets) to be summarized can beselected or excluded.
HTML colors and stylesheet
The colors of the HTML output and status page can be customized, anexternal cascading stylesheet can be referenced.
Realtime response options
Verification of ipchains rules, PID file handling, the userfwlogwatchshould run as, the location of the notification and response scripts, whichinterfaces the web interface listens on, which host can connect, the portused, the refresh interval of the status page and the admin name and passwordcan be configured.


Sincefwlogwatchis a security tool special care was taken to make it secure. You can andshould run it with user permissions for most functions, you can make itsetgid for a group/var/log/messagesis in if all you need is to be able to read this file. Only the realtimeresponse mode with activated ipchains rule analysis needs superuserpermissions but you might also need them to write the PID file, for actionsin the response script and for binding the default status port. However, youcan configure fwlogwatch to drop root privileges as soon as possible afterallocating these resources (the notification and response scripts will stillbe executed with user privileges and log rotation might not work). 


Boris Wesslowski <WesslowskiAATTCERT.Uni-Stuttgart.DE>,RUS-CERT




This document was created byman2html,using the manual pages.