Re: Firewall log analysis

From: Brad (wouldn'
Date: 06/12/04

  • Next message: Alec: "Re: Passing DHCP through a Hotbrick"
    Date: Sat, 12 Jun 2004 04:11:39 GMT

    While it doesn't offer all the features you ask for, you can get some
    nice log analysis in linklogger. (


    On Sat, 12 Jun 2004 12:06:02 +1000, JC <>

    >I have a Sonicwall firewall which sends me a log each morning via email. I paste the log into Excel, save it then sort on source URL. An example
    >of log entries showing the important parts is below:-
    > Date & Time Result Source URL
    >2004/06/11 09:07:15.224 UDP packet dropped - Source:, 5984, WAN
    >2004/06/11 09:39:36.496 ICMP packet dropped - Source:, 8, WAN
    >2004/06/11 10:27:02.544 UDP packet dropped - Source:, 31916, WAN
    >2004/06/11 10:28:08.304 TCP connection dropped - Source:, 1511, WAN
    >I get 80-100 entries per day, which isn't many I know, but over a month this adds up to about 2,500+ entries which take a while to go through. What
    >I am looking for is patterns of probes which I then report to abuse@x.y.z asking for the probes to be stopped. To get to the abuse@x.y.z address I
    >look up the details on Doing this multiple times each day can be tedious and it is not immediately obvious that, for example,
    >source URLs 66.139.x.y and 69.44.x.y are all connected to the same ISP.
    >How do you deal with the firewall logs?
    >What would be useful would be a program that will read the log file, preferably in XLS format, and spit out a summary along the lines of ISP Name,
    >Abuse email address, Source URL, Date & Time sorted on ISP name, Source URL and Date & Time if multiple entries are detected. Does such a program

  • Next message: Alec: "Re: Passing DHCP through a Hotbrick"