Re: log_analysis configuration
On Tue, Oct 15, 2002 at 02:37:19PM -0700, Anne Carasik wrote:
> Hi Mathias,
>
> Thanks that's helpful if I'm workign on ONE machine. The problem
> is I can't get this working for our loghost which gets all the
> files.
>
> All I get is this:
>
> Other hosts syslogging to us:
> 290374 host1.example.edu
> 283974 host2.example.edu
> 289307 host3.example.edu
>
> And so on.. no matter what I put in the config file :(
>
> -Anne
>
Sorry, I think i didn't make myself clear about the commandline.
You need to tell log_analysis, which rule to use. For example I want log files
iptables.0, iptables.1, being analysed, I type
log_analysis -a iptables
Mathias
>
> Mathias Palm grabbed a keyboard and typed...
> > On Thu, Oct 10, 2002 at 09:15:12AM -0700, Anne Carasik wrote:
> > > Hi Mathias,
> >
> > Hi Anne,
> >
> > I send this one to the list again, I hope this is ok.
> >
> > >
> > > Actually, it is a good start. The developer sent me a tutorial,
> > > and I'm going to help him work on it for the clueless folks like
> > > me :)
> > >
> > > > config_version 0.38
> > >
> > > Good, we're using the same version (I'm not surprised since
> > > Debian hasn't upgraded this yet).
> > >
> > > > add arr log_type_list=
> > > > iptables
> > > >
> > > > add arr log_type_list=
> > > > iptables
> > >
> > > Ok, what is "add arr log_type_list" and why do you have this twice?
> > >
> > This is just a name for the for a new type of log-files where all the
> > definitions to follow apply.
> >
> > I am sure the doubling is by accident. As I said, I got a config
> > somewhere else and rewrote it according to my needs.
> >
> > > > add arr iptables_filenames=
> > > > iptables
> > >
> > > Ok, so that's the filename you're reading from, right?
> > >
> >
> > It is the root of the logfiles the log_type "iptables" applies to.
> > This rule actually reads iptables.0 ... or iptables.1.gz (when called
> > with argument -a)
> >
> >
> > You need to read about "perl regular expressions" (man perlre or heaps
> > of other sources about regular expressions) to understand the following
> > and write your own configs. I am no expert in regexps and am sure you
> > could write better ones. Regexps being a powerful tool it is worthwile
> > to learn about them, so you wont waste your time.
> >
> > > > set var
> > > > iptables_date_pattern=^((?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oc
> > > > t|Nov|Dec)+\s+\d{1,2})\s+\d+\:\d+\:\d+\s+
> > >
> >
> > Translated this means:
> >
> > the brackets are just groupings
> >
> > - ^ Match the beginning of the line
> > - ?: some switch I cant remember why I put it there
> > - Jan|Feb|Mar... matches Jan or Feb or Mar or ...
> > - + match at least one time
> > - \s match a whitespace (space, tab or similiar)
> > - \d{1,2} match one or two digits
> > - \: match a : (: is a special character and needs to be escaped)
> >
> > hence it matches a string like
> >
> > Oct 9 17:34:27
> >
> > at the beginning of the line.
> >
> > >
> > > Ok, quick question:
> > >
> > > What does +\s +\d do? I take it +d is an integer and +s is a string?
> > >
> >
> > see the above
> >
> > > > set var iptables_date_format=%b %e
> > >
> > > Not sure what %b and %e give you.
> >
> > read man strftime. I am not sure what it really does.
> >
> > >
> > > > logtype: iptables
> > > > pattern: tungurahua kernel: CHAIN
> > > > INPUT.*SRC=($ip_pat).*DST=($ip_pat).*PR
> > > > OTO=(.*)
> > >
> > > I take *'s work like they do in the shell?
> > >
> >
> > The . matches any character and the * matches the preceding
> > character 0 or more times. I am not sure if the "preceding character" is
> > the dot or the character replacing the dot.
> >
> > > > use_sprintf
> > > > format: "%-3s packet from %-15s to %-15s" , $3, $1, $2
> > >
> > > I have simple "format:" sections like:
> > > format: STMP from $1 to $2
> > >
> > > What does use_sprintf buy you?
> >
> > I actually dont know, I guess sprintf sounded just familiar (knowing C
> > quite well), so I didn't search for anything else
> >
> >
> > >
> > > > pattern: tungurahua kernel: CHAIN
> > > > OUTPUT.*SRC=($ip_pat).*DST=($ip_pat).*P
> > > > ROTO=(.*)
> > >
> > > Do the periods (.) give you anything if they aren't escaped with a \?
> > >
> >
> > see before.
> >
> >
> > Alright, hope this answers some of your questions. Good luck and thanks
> > for writing the tutorial. I'd be interested in it and would be glad if
> > you could notify me where to find it.
> >
> > Mathias
>
> --
> .-"".__."``". Anne Carasik, System Administrator
> .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu
> (O/ O) \-' ` -="""=.', Center for Advanced Computing Research
> ~`~~
>
Re: log_analysis configuration
On Tue, Oct 15, 2002 at 02:37:19PM -0700, Anne Carasik wrote:
> Hi Mathias,
>
> Thanks that's helpful if I'm workign on ONE machine. The problem
> is I can't get this working for our loghost which gets all the
> files.
>
> All I get is this:
>
> Other hosts syslogging to us:
> 290374 host1.example.edu
> 283974 host2.example.edu
> 289307 host3.example.edu
>
> And so on.. no matter what I put in the config file :(
>
> -Anne
>
Sorry, I think i didn't make myself clear about the commandline.
You need to tell log_analysis, which rule to use. For example I want log files
iptables.0, iptables.1, being analysed, I type
log_analysis -a iptables
Mathias
>
> Mathias Palm grabbed a keyboard and typed...
> > On Thu, Oct 10, 2002 at 09:15:12AM -0700, Anne Carasik wrote:
> > > Hi Mathias,
> >
> > Hi Anne,
> >
> > I send this one to the list again, I hope this is ok.
> >
> > >
> > > Actually, it is a good start. The developer sent me a tutorial,
> > > and I'm going to help him work on it for the clueless folks like
> > > me :)
> > >
> > > > config_version 0.38
> > >
> > > Good, we're using the same version (I'm not surprised since
> > > Debian hasn't upgraded this yet).
> > >
> > > > add arr log_type_list=
> > > > iptables
> > > >
> > > > add arr log_type_list=
> > > > iptables
> > >
> > > Ok, what is "add arr log_type_list" and why do you have this twice?
> > >
> > This is just a name for the for a new type of log-files where all the
> > definitions to follow apply.
> >
> > I am sure the doubling is by accident. As I said, I got a config
> > somewhere else and rewrote it according to my needs.
> >
> > > > add arr iptables_filenames=
> > > > iptables
> > >
> > > Ok, so that's the filename you're reading from, right?
> > >
> >
> > It is the root of the logfiles the log_type "iptables" applies to.
> > This rule actually reads iptables.0 ... or iptables.1.gz (when called
> > with argument -a)
> >
> >
> > You need to read about "perl regular expressions" (man perlre or heaps
> > of other sources about regular expressions) to understand the following
> > and write your own configs. I am no expert in regexps and am sure you
> > could write better ones. Regexps being a powerful tool it is worthwile
> > to learn about them, so you wont waste your time.
> >
> > > > set var iptables_date_pattern=^((?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oc
> > > > t|Nov|Dec)+\s+\d{1,2})\s+\d+\:\d+\:\d+\s+
> > >
> >
> > Translated this means:
> >
> > the brackets are just groupings
> >
> > - ^ Match the beginning of the line
> > - ?: some switch I cant remember why I put it there
> > - Jan|Feb|Mar... matches Jan or Feb or Mar or ...
> > - + match at least one time
> > - \s match a whitespace (space, tab or similiar)
> > - \d{1,2} match one or two digits
> > - \: match a : (: is a special character and needs to be escaped)
> >
> > hence it matches a string like
> >
> > Oct 9 17:34:27
> >
> > at the beginning of the line.
> >
> > >
> > > Ok, quick question:
> > >
> > > What does +\s +\d do? I take it +d is an integer and +s is a string?
> > >
> >
> > see the above
> >
> > > > set var iptables_date_format=%b %e
> > >
> > > Not sure what %b and %e give you.
> >
> > read man strftime. I am not sure what it really does.
> >
> > >
> > > > logtype: iptables
> > > > pattern: tungurahua kernel: CHAIN INPUT.*SRC=($ip_pat).*DST=($ip_pat).*PR
> > > > OTO=(.*)
> > >
> > > I take *'s work like they do in the shell?
> > >
> >
> > The . matches any character and the * matches the preceding
> > character 0 or more times. I am not sure if the "preceding character" is
> > the dot or the character replacing the dot.
> >
> > > > use_sprintf
> > > > format: "%-3s packet from %-15s to %-15s" , $3, $1, $2
> > >
> > > I have simple "format:" sections like:
> > > format: STMP from $1 to $2
> > >
> > > What does use_sprintf buy you?
> >
> > I actually dont know, I guess sprintf sounded just familiar (knowing C
> > quite well), so I didn't search for anything else
> >
> >
> > >
> > > > pattern: tungurahua kernel: CHAIN OUTPUT.*SRC=($ip_pat).*DST=($ip_pat).*P
> > > > ROTO=(.*)
> > >
> > > Do the periods (.) give you anything if they aren't escaped with a \?
> > >
> >
> > see before.
> >
> >
> > Alright, hope this answers some of your questions. Good luck and thanks
> > for writing the tutorial. I'd be interested in it and would be glad if
> > you could notify me where to find it.
> >
> > Mathias
>
> --
> .-"".__."``". Anne Carasik, System Administrator
> .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu
> (O/ O) \-' ` -="""=.', Center for Advanced Computing Research
> ~`~~
>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: log_analysis configuration
Hi Mathias,
Thanks that's helpful if I'm workign on ONE machine. The problem
is I can't get this working for our loghost which gets all the
files.
All I get is this:
Other hosts syslogging to us:
290374 host1.example.edu
283974 host2.example.edu
289307 host3.example.edu
And so on.. no matter what I put in the config file :(
-Anne
Mathias Palm grabbed a keyboard and typed...
> On Thu, Oct 10, 2002 at 09:15:12AM -0700, Anne Carasik wrote:
> > Hi Mathias,
>
> Hi Anne,
>
> I send this one to the list again, I hope this is ok.
>
> >
> > Actually, it is a good start. The developer sent me a tutorial,
> > and I'm going to help him work on it for the clueless folks like
> > me :)
> >
> > > config_version 0.38
> >
> > Good, we're using the same version (I'm not surprised since
> > Debian hasn't upgraded this yet).
> >
> > > add arr log_type_list=
> > > iptables
> > >
> > > add arr log_type_list=
> > > iptables
> >
> > Ok, what is "add arr log_type_list" and why do you have this twice?
> >
> This is just a name for the for a new type of log-files where all the
> definitions to follow apply.
>
> I am sure the doubling is by accident. As I said, I got a config
> somewhere else and rewrote it according to my needs.
>
> > > add arr iptables_filenames=
> > > iptables
> >
> > Ok, so that's the filename you're reading from, right?
> >
>
> It is the root of the logfiles the log_type "iptables" applies to.
> This rule actually reads iptables.0 ... or iptables.1.gz (when called
> with argument -a)
>
>
> You need to read about "perl regular expressions" (man perlre or heaps
> of other sources about regular expressions) to understand the following
> and write your own configs. I am no expert in regexps and am sure you
> could write better ones. Regexps being a powerful tool it is worthwile
> to learn about them, so you wont waste your time.
>
> > > set var iptables_date_pattern=^((?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oc
> > > t|Nov|Dec)+\s+\d{1,2})\s+\d+\:\d+\:\d+\s+
> >
>
> Translated this means:
>
> the brackets are just groupings
>
> - ^ Match the beginning of the line
> - ?: some switch I cant remember why I put it there
> - Jan|Feb|Mar... matches Jan or Feb or Mar or ...
> - + match at least one time
> - \s match a whitespace (space, tab or similiar)
> - \d{1,2} match one or two digits
> - \: match a : (: is a special character and needs to be escaped)
>
> hence it matches a string like
>
> Oct 9 17:34:27
>
> at the beginning of the line.
>
> >
> > Ok, quick question:
> >
> > What does +\s +\d do? I take it +d is an integer and +s is a string?
> >
>
> see the above
>
> > > set var iptables_date_format=%b %e
> >
> > Not sure what %b and %e give you.
>
> read man strftime. I am not sure what it really does.
>
> >
> > > logtype: iptables
> > > pattern: tungurahua kernel: CHAIN INPUT.*SRC=($ip_pat).*DST=($ip_pat).*PR
> > > OTO=(.*)
> >
> > I take *'s work like they do in the shell?
> >
>
> The . matches any character and the * matches the preceding
> character 0 or more times. I am not sure if the "preceding character" is
> the dot or the character replacing the dot.
>
> > > use_sprintf
> > > format: "%-3s packet from %-15s to %-15s" , $3, $1, $2
> >
> > I have simple "format:" sections like:
> > format: STMP from $1 to $2
> >
> > What does use_sprintf buy you?
>
> I actually dont know, I guess sprintf sounded just familiar (knowing C
> quite well), so I didn't search for anything else
>
>
> >
> > > pattern: tungurahua kernel: CHAIN OUTPUT.*SRC=($ip_pat).*DST=($ip_pat).*P
> > > ROTO=(.*)
> >
> > Do the periods (.) give you anything if they aren't escaped with a \?
> >
>
> see before.
>
>
> Alright, hope this answers some of your questions. Good luck and thanks
> for writing the tutorial. I'd be interested in it and would be glad if
> you could notify me where to find it.
>
> Mathias
--
.-"".__."``". Anne Carasik, System Administrator
.-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu
(O/ O) \-' ` -="""=.', Center for Advanced Computing Research
~`~~
pgpEfhiHJ3pKZ.pgp
Description: PGP signature
Re: log_analysis configuration
Hi Mathias,
Thanks that's helpful if I'm workign on ONE machine. The problem
is I can't get this working for our loghost which gets all the
files.
All I get is this:
Other hosts syslogging to us:
290374 host1.example.edu
283974 host2.example.edu
289307 host3.example.edu
And so on.. no matter what I put in the config file :(
-Anne
Mathias Palm grabbed a keyboard and typed...
> On Thu, Oct 10, 2002 at 09:15:12AM -0700, Anne Carasik wrote:
> > Hi Mathias,
>
> Hi Anne,
>
> I send this one to the list again, I hope this is ok.
>
> >
> > Actually, it is a good start. The developer sent me a tutorial,
> > and I'm going to help him work on it for the clueless folks like
> > me :)
> >
> > > config_version 0.38
> >
> > Good, we're using the same version (I'm not surprised since
> > Debian hasn't upgraded this yet).
> >
> > > add arr log_type_list=
> > > iptables
> > >
> > > add arr log_type_list=
> > > iptables
> >
> > Ok, what is "add arr log_type_list" and why do you have this twice?
> >
> This is just a name for the for a new type of log-files where all the
> definitions to follow apply.
>
> I am sure the doubling is by accident. As I said, I got a config
> somewhere else and rewrote it according to my needs.
>
> > > add arr iptables_filenames=
> > > iptables
> >
> > Ok, so that's the filename you're reading from, right?
> >
>
> It is the root of the logfiles the log_type "iptables" applies to.
> This rule actually reads iptables.0 ... or iptables.1.gz (when called
> with argument -a)
>
>
> You need to read about "perl regular expressions" (man perlre or heaps
> of other sources about regular expressions) to understand the following
> and write your own configs. I am no expert in regexps and am sure you
> could write better ones. Regexps being a powerful tool it is worthwile
> to learn about them, so you wont waste your time.
>
> > > set var iptables_date_pattern=^((?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oc
> > > t|Nov|Dec)+\s+\d{1,2})\s+\d+\:\d+\:\d+\s+
> >
>
> Translated this means:
>
> the brackets are just groupings
>
> - ^ Match the beginning of the line
> - ?: some switch I cant remember why I put it there
> - Jan|Feb|Mar... matches Jan or Feb or Mar or ...
> - + match at least one time
> - \s match a whitespace (space, tab or similiar)
> - \d{1,2} match one or two digits
> - \: match a : (: is a special character and needs to be escaped)
>
> hence it matches a string like
>
> Oct 9 17:34:27
>
> at the beginning of the line.
>
> >
> > Ok, quick question:
> >
> > What does +\s +\d do? I take it +d is an integer and +s is a string?
> >
>
> see the above
>
> > > set var iptables_date_format=%b %e
> >
> > Not sure what %b and %e give you.
>
> read man strftime. I am not sure what it really does.
>
> >
> > > logtype: iptables
> > > pattern: tungurahua kernel: CHAIN INPUT.*SRC=($ip_pat).*DST=($ip_pat).*PR
> > > OTO=(.*)
> >
> > I take *'s work like they do in the shell?
> >
>
> The . matches any character and the * matches the preceding
> character 0 or more times. I am not sure if the "preceding character" is
> the dot or the character replacing the dot.
>
> > > use_sprintf
> > > format: "%-3s packet from %-15s to %-15s" , $3, $1, $2
> >
> > I have simple "format:" sections like:
> > format: STMP from $1 to $2
> >
> > What does use_sprintf buy you?
>
> I actually dont know, I guess sprintf sounded just familiar (knowing C
> quite well), so I didn't search for anything else
>
>
> >
> > > pattern: tungurahua kernel: CHAIN OUTPUT.*SRC=($ip_pat).*DST=($ip_pat).*P
> > > ROTO=(.*)
> >
> > Do the periods (.) give you anything if they aren't escaped with a \?
> >
>
> see before.
>
>
> Alright, hope this answers some of your questions. Good luck and thanks
> for writing the tutorial. I'd be interested in it and would be glad if
> you could notify me where to find it.
>
> Mathias
--
.-"".__."``". Anne Carasik, System Administrator
.-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu
(O/ O) \-' ` -="""=.', Center for Advanced Computing Research
~`~~
msg07399/pgp0.pgp
Description: PGP signature
Re: log_analysis configuration
On Thu, Oct 10, 2002 at 09:15:12AM -0700, Anne Carasik wrote:
> Hi Mathias,
Hi Anne,
I send this one to the list again, I hope this is ok.
>
> Actually, it is a good start. The developer sent me a tutorial,
> and I'm going to help him work on it for the clueless folks like
> me :)
>
> > config_version 0.38
>
> Good, we're using the same version (I'm not surprised since
> Debian hasn't upgraded this yet).
>
> > add arr log_type_list=
> > iptables
> >
> > add arr log_type_list=
> > iptables
>
> Ok, what is "add arr log_type_list" and why do you have this twice?
>
This is just a name for the for a new type of log-files where all the
definitions to follow apply.
I am sure the doubling is by accident. As I said, I got a config
somewhere else and rewrote it according to my needs.
> > add arr iptables_filenames=
> > iptables
>
> Ok, so that's the filename you're reading from, right?
>
It is the root of the logfiles the log_type "iptables" applies to.
This rule actually reads iptables.0 ... or iptables.1.gz (when called
with argument -a)
You need to read about "perl regular expressions" (man perlre or heaps
of other sources about regular expressions) to understand the following
and write your own configs. I am no expert in regexps and am sure you
could write better ones. Regexps being a powerful tool it is worthwile
to learn about them, so you wont waste your time.
> > set var iptables_date_pattern=^((?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oc
> > t|Nov|Dec)+\s+\d{1,2})\s+\d+\:\d+\:\d+\s+
>
Translated this means:
the brackets are just groupings
- ^ Match the beginning of the line
- ?: some switch I cant remember why I put it there
- Jan|Feb|Mar... matches Jan or Feb or Mar or ...
- + match at least one time
- \s match a whitespace (space, tab or similiar)
- \d{1,2} match one or two digits
- \: match a : (: is a special character and needs to be escaped)
hence it matches a string like
Oct 9 17:34:27
at the beginning of the line.
>
> Ok, quick question:
>
> What does +\s +\d do? I take it +d is an integer and +s is a string?
>
see the above
> > set var iptables_date_format=%b %e
>
> Not sure what %b and %e give you.
read man strftime. I am not sure what it really does.
>
> > logtype: iptables
> > pattern: tungurahua kernel: CHAIN INPUT.*SRC=($ip_pat).*DST=($ip_pat).*PR
> > OTO=(.*)
>
> I take *'s work like they do in the shell?
>
The . matches any character and the * matches the preceding
character 0 or more times. I am not sure if the "preceding character" is
the dot or the character replacing the dot.
> > use_sprintf
> > format: "%-3s packet from %-15s to %-15s" , $3, $1, $2
>
> I have simple "format:" sections like:
> format: STMP from $1 to $2
>
> What does use_sprintf buy you?
I actually dont know, I guess sprintf sounded just familiar (knowing C
quite well), so I didn't search for anything else
>
> > pattern: tungurahua kernel: CHAIN OUTPUT.*SRC=($ip_pat).*DST=($ip_pat).*P
> > ROTO=(.*)
>
> Do the periods (.) give you anything if they aren't escaped with a \?
>
see before.
Alright, hope this answers some of your questions. Good luck and thanks
for writing the tutorial. I'd be interested in it and would be glad if
you could notify me where to find it.
Mathias
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: log_analysis configuration
On Thu, Oct 10, 2002 at 09:15:12AM -0700, Anne Carasik wrote:
> Hi Mathias,
Hi Anne,
I send this one to the list again, I hope this is ok.
>
> Actually, it is a good start. The developer sent me a tutorial,
> and I'm going to help him work on it for the clueless folks like
> me :)
>
> > config_version 0.38
>
> Good, we're using the same version (I'm not surprised since
> Debian hasn't upgraded this yet).
>
> > add arr log_type_list=
> > iptables
> >
> > add arr log_type_list=
> > iptables
>
> Ok, what is "add arr log_type_list" and why do you have this twice?
>
This is just a name for the for a new type of log-files where all the
definitions to follow apply.
I am sure the doubling is by accident. As I said, I got a config
somewhere else and rewrote it according to my needs.
> > add arr iptables_filenames=
> > iptables
>
> Ok, so that's the filename you're reading from, right?
>
It is the root of the logfiles the log_type "iptables" applies to.
This rule actually reads iptables.0 ... or iptables.1.gz (when called
with argument -a)
You need to read about "perl regular expressions" (man perlre or heaps
of other sources about regular expressions) to understand the following
and write your own configs. I am no expert in regexps and am sure you
could write better ones. Regexps being a powerful tool it is worthwile
to learn about them, so you wont waste your time.
> > set var iptables_date_pattern=^((?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oc
> > t|Nov|Dec)+\s+\d{1,2})\s+\d+\:\d+\:\d+\s+
>
Translated this means:
the brackets are just groupings
- ^ Match the beginning of the line
- ?: some switch I cant remember why I put it there
- Jan|Feb|Mar... matches Jan or Feb or Mar or ...
- + match at least one time
- \s match a whitespace (space, tab or similiar)
- \d{1,2} match one or two digits
- \: match a : (: is a special character and needs to be escaped)
hence it matches a string like
Oct 9 17:34:27
at the beginning of the line.
>
> Ok, quick question:
>
> What does +\s +\d do? I take it +d is an integer and +s is a string?
>
see the above
> > set var iptables_date_format=%b %e
>
> Not sure what %b and %e give you.
read man strftime. I am not sure what it really does.
>
> > logtype: iptables
> > pattern: tungurahua kernel: CHAIN INPUT.*SRC=($ip_pat).*DST=($ip_pat).*PR
> > OTO=(.*)
>
> I take *'s work like they do in the shell?
>
The . matches any character and the * matches the preceding
character 0 or more times. I am not sure if the "preceding character" is
the dot or the character replacing the dot.
> > use_sprintf
> > format: "%-3s packet from %-15s to %-15s" , $3, $1, $2
>
> I have simple "format:" sections like:
> format: STMP from $1 to $2
>
> What does use_sprintf buy you?
I actually dont know, I guess sprintf sounded just familiar (knowing C
quite well), so I didn't search for anything else
>
> > pattern: tungurahua kernel: CHAIN OUTPUT.*SRC=($ip_pat).*DST=($ip_pat).*P
> > ROTO=(.*)
>
> Do the periods (.) give you anything if they aren't escaped with a \?
>
see before.
Alright, hope this answers some of your questions. Good luck and thanks
for writing the tutorial. I'd be interested in it and would be glad if
you could notify me where to find it.
Mathias
Re: log_analysis configuration
Anne Carasik wrote:
Hi all,
I have something I've been trying to do with quite some
time--the joys of log parsing.
I have installed log_analysis, and it seems to be the
best tool to do the job. However, the man pages are
very difficult to read, and there are not any clear
examples of how to use this that I can find.
Does anyone have any configurations that work well with
log_analysis or have any tips on getting it to filter
SSH, sudo, etc..?
Hi Anne, I did write some configuration files and know what you are
talking about.
I send you the whole config, which is partly the default, partly my own.
It is not very helpful indeed but might provide a starting point. Good
luck, here is the config
config_version 0.38
add arr log_type_list=
iptables
add arr log_type_list=
iptables
add arr iptables_filenames=
iptables
set var iptables_date_pattern=^((?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oc
t|Nov|Dec)+\s+\d{1,2})\s+\d+\:\d+\:\d+\s+
set var iptables_date_format=%b %e
logtype: iptables
pattern: tungurahua kernel: CHAIN INPUT.*SRC=($ip_pat).*DST=($ip_pat).*PR
OTO=(.*)
use_sprintf
format: "%-3s packet from %-15s to %-15s" , $3, $1, $2
dest: denied input from
pattern: tungurahua kernel: CHAIN OUTPUT.*SRC=($ip_pat).*DST=($ip_pat).*P
ROTO=(.*)
use_sprintf
format: "%-3s packet from %-15s to %-15s" , $3, $1, $2
dest: denied output to
pattern: tungurahua kernel: CHAIN FORWARD.*SRC=($ip_pat).*DST=($ip_pat).*
PROTO=(.*)
use_sprintf
format: "%-3s packet from %-15s to %-15s" , $3, $1, $2
dest: denied forward
set arr priority_categories=
Mathias
TIA,
-Anne
Re: log_analysis configuration
Anne Carasik wrote:
> Hi all,
>
> I have something I've been trying to do with quite some
> time--the joys of log parsing.
>
> I have installed log_analysis, and it seems to be the
> best tool to do the job. However, the man pages are
> very difficult to read, and there are not any clear
> examples of how to use this that I can find.
>
> Does anyone have any configurations that work well with
> log_analysis or have any tips on getting it to filter
> SSH, sudo, etc..?
>
Hi Anne, I did write some configuration files and know what you are
talking about.
I send you the whole config, which is partly the default, partly my own.
It is not very helpful indeed but might provide a starting point. Good
luck, here is the config
config_version 0.38
add arr log_type_list=
iptables
add arr log_type_list=
iptables
add arr iptables_filenames=
iptables
set var iptables_date_pattern=^((?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oc
t|Nov|Dec)+\s+\d{1,2})\s+\d+\:\d+\:\d+\s+
set var iptables_date_format=%b %e
logtype: iptables
pattern: tungurahua kernel: CHAIN INPUT.*SRC=($ip_pat).*DST=($ip_pat).*PR
OTO=(.*)
use_sprintf
format: "%-3s packet from %-15s to %-15s" , $3, $1, $2
dest: denied input from
pattern: tungurahua kernel: CHAIN OUTPUT.*SRC=($ip_pat).*DST=($ip_pat).*P
ROTO=(.*)
use_sprintf
format: "%-3s packet from %-15s to %-15s" , $3, $1, $2
dest: denied output to
pattern: tungurahua kernel: CHAIN FORWARD.*SRC=($ip_pat).*DST=($ip_pat).*
PROTO=(.*)
use_sprintf
format: "%-3s packet from %-15s to %-15s" , $3, $1, $2
dest: denied forward
set arr priority_categories=
Mathias
> TIA,
>
> -Anne
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
