RE: parsing logs ultra-fast inline

["Paul Melson" <pmelson () gmail com>]

-----Original Message-----
Subject: Re: [fw-wiz] parsing logs ultra-fast inline

> Second question: Hasn't anyone else ever written these scripts? You would
think they'd be 
> pretty widely available - especially for things like a PIX or 2600 or AIX.
I mean, yes 
> they're site specific but if you know all of the errors/messages a PIX can
provide (someone 
> said 26k or so?) then the "meat" of a script could be generic enough...the
most common 
> messages aren't likely to differ by much from site to site...place your
IPs/whatever in and > run... or start to run...??

If by anyone, you mean anyone with some perl/shell knowledge and a PIX, then
yes, anyone can and has written them.  Even me, and my code sucks.

http://honor.icsalabs.com/pipermail/firewall-wizards/2003-October/015488.htm
l
http://honor.icsalabs.com/pipermail/firewall-wizards/2003-October/015503.htm
l
http://www.loganalysis.org/sections/parsing/application-specific/index.html

With regard to AIX, sure there are.  But generally Unix syslog, as opposed
to syslog from a router or firewall, contains messages from lots of
different pieces of software (i.e. Postfix vs. Sendmail, vsftpd vs. wu-ftpd,
vixie vs. anacron, etc.) so you will spend a little time putting things
together.  But for security purposes, you can put together a quick list of
things to grep for off the top of your head (or in this case my head, but
you can take credit for it off list).

root
connect
login
accept
fail
refuse
restart

PaulM


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards