Daily firewall reports
-
Hello everyone,
I am replacing a set of Linux based firewalls with PF boxes and can do most everything I need to with the PF boxes save a few.
The big one right now is I need to be able to produce a daily list of firewall activity such as dropped/rejected packets per interface as well was statistical break down of packets per interface. Management has gotten used to a daily emailed Logwatch report so reporducing that or something similar would be great. A package would be totally awesome of course, :)
Does anyone have any thoughts on that or experience setting Logwatch up? I have tried to do the remote syslog thing but no tool I used seem to work well with the log output.
Thanks for any help in advance!
Rich
-
There's an open ticket to do something like this, but it will have to wait until after 2.0 is released.
I have some ideas on what to do, but no code yet.
What kind of statistics are you used to seeing? Do you have a sample report? (with anything identifying removed, of course)
-
Thanks for the reply!
Here is some samples from the report management is used to seeing:
Listed by source hosts:
Accepted 45 packets on interface eth1
From XXX.XXX.XXX.XXX - 1 packet to udp(123)
From XXX.XXX.XXX.XXX - 70 packets to udp(53,123) tcp(22)
From XXX.XXX.XXX.XXX - 168 packets to udp(123)
From XXX.XXX.XXX.XXX - 25 packets to udp(123)Listed by source hosts:
Dropped 105 packets on interface eth0
From X.X.X.X - 1 packet to udp(5060)
From X.X.X.X - 1 packet to udp(5060)
From X.X.X.X- 16 packets to tcp(18490)
From X.X.X.X - 2 packets to tcp(445)
From X.X.X.X - 1 packet to udp(1434)
From X.X.X.X - 1 packet to udp(1434)
FromX.X.X.X - 1 packet to tcp(3306)Listed by source hosts:
Logged 1181 packets on interface eth1
From XXX.XXX.XXX.XXX - 98 packets to tcp(80)
From XXX.XXX.XXX.XXX - 255 packets to tcp(80)
From XXX.XXX.XXX.XXX - 21 packets to tcp(80)
From XXX.XXX.XXX.XXX - 34 packets to tcp(80)
From XXX.XXX.XXX.XXX - 36 packets to tcp(80)
From XXX.XXX.XXX.XXX - 30 packets to tcp(80)Listed by source hosts:
Rejected 12 packets on interface eth0
From XXX.XXX.XXX.XXX - 1 packet to udp(123)
From XXX.XXX.XXX.XXX - 1 packet to tcp(22)
From XXX.XXX.XXX.XXX - 1 packet to udp(43361)
From XXX.XXX.XXX.XXX - 1 packet to tcp(2967)
From XXX.XXX.XXX.XXX - 1 packet to tcp(22)
From XXX.XXX.XXX.XXX - 3 packets to tcp(30978)Listed by source hosts:
Rejected 855 packets on interface eth1
From XXX.XXX.XXX.6 - 15 packets to tcp(443)
From XXX.XXX.XXX.58 - 3 packets to icmp(8)
From XXX.XXX.XXX.59 - 15 packets to tcp(443)
From XXX.XXX.XXX.61 - 120 packets to tcp(443)
From XXX.XXX.XXX.67 - 15 packets to tcp(443)
From XXX.XXX.XXX.70 - 50 packets to tcp(443,1935)
From XXX.XXX.XXX.71 - 60 packets to tcp(443,1935)Hope this helps.
Any idea when we will see 2.0? I have been loving 1.2.3 and love the new stuff in 2.0 especialy the key managment for openvpn.
Thanks again!!
Rich