What is your firewall log telling you - responses

Published: 2010-03-05
Last Updated: 2010-03-05 21:10:47 UTC
by Kyle Haugsness (Version: 1)
2 comment(s)

Responses to our earlier diary entries regarding firewall log parsing (story1 and story2) have been trickling in. 

Reader Matthias has some small awk/shell scripts for parsing iptables log files that he shared here: http://sister-shadow.de/hotlink/isc/log-scripts.tar.gz

And reader Christian recommends using Prelude LML (log monitor lackey): http://www.prelude-technologies.com/en/welcome/index.html

Update #1: An anonymous reader also suggests http://www.loganalysis.org/ .

-Kyle Haugsness

Keywords: firewall log
2 comment(s)


I use FWAnalog http://tud.at/programm/fwanalog/
Its a branch off Analog for system log Analysis.

Though there is some stuff missing like Destination Port stats...this gives me a visual of whats going on.

Checking out some of the suggestions above definitely.

Another really nifty trick is to exclude (grep -v) your permit/deny entries in the logs and the remaining logs can show some interesting info. In the case of an ASA, exclude built/teardowns/accept/denies, shows interfaces going up/down, inspection proxy exceptions, among other things. A very useful search..

Diary Archives