Log Analysis and alerting

From: Subba Rao (sailorn@attglobal.net)
Date: 03/22/02

• Next message: Perique des Palottes: "Re: Log Analysis and alerting"
• Previous message: Leythos: "Re: PING splatter [was: Re: Can a hacker spy on my e-mails and surfing?]"
• Next in thread: Perique des Palottes: "Re: Log Analysis and alerting"
• Reply: Perique des Palottes: "Re: Log Analysis and alerting"
• Reply: Dan Mercer: "Re: Log Analysis and alerting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Subba Rao" <sailorn@attglobal.net>
Date: Fri, 22 Mar 2002 08:05:57 -0500

Hi

I am trying setup a realtime alert system for our firewall. The
firewall logs everything, so we have to process the logs twice
to seperate the serious alerts. At the final stage there is still
redundant information.

For example, we want to monitor FTP, TELNET and IIS Webserver
access attempts. For each protocol, there are several entries
from the same host from different ports. My goal is to capture the
first attempt (ignore the rest) and send an alert.

What I am not able to do is to write the first attempt to a
seperate log file. I plan to use swatch on this seperate log
file to send the email alert. I am trying the following shell
script to capture the first alert:

root@log:/firewall/logs # tail -f fw1.log | awk -f alert.awk > email.log

The alert.awk script is as follows:

/IIS/ {
     #Get the current alert and current source IP address
     current = $3
     split($(NF-2),tmp,":")
     srcip = tmp[1]

     if ( attacks[$3] != srcip ) {
          print $_
          attacks[$3] = srcip
     }
}

Why does the awk script not write to the email.log?

This is a very critical network. So, any help appreciated.

Thank you in advance.

--
Subba Rao
sailorn@attglobal.net

---

• Next message: Perique des Palottes: "Re: Log Analysis and alerting"
• Previous message: Leythos: "Re: PING splatter [was: Re: Can a hacker spy on my e-mails and surfing?]"
• Next in thread: Perique des Palottes: "Re: Log Analysis and alerting"
• Reply: Perique des Palottes: "Re: Log Analysis and alerting"
• Reply: Dan Mercer: "Re: Log Analysis and alerting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Log Analysis and alerting ... I am trying setup a realtime alert system for our firewall. ... firewall logs everything, so we have to process the logs twice ... to seperate the serious alerts. ... (comp.os.linux.security) Log Analysis and alerting ... I am trying setup a realtime alert system for our firewall. ... firewall logs everything, so we have to process the logs twice ... to seperate the serious alerts. ... (comp.security.firewalls) Log Analysis and alerting ... I am trying setup a realtime alert system for our firewall. ... firewall logs everything, so we have to process the logs twice ... to seperate the serious alerts. ... (comp.security.unix) Re: Log Analysis and alerting ... > I am trying setup a realtime alert system for our firewall. ... > firewall logs everything, so we have to process the logs twice ... > The alert.awk script is as follows: ... (comp.security.unix) Re: Log Analysis and alerting ... > I am trying setup a realtime alert system for our firewall. ... > firewall logs everything, so we have to process the logs twice ... > The alert.awk script is as follows: ... (comp.security.misc)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.misc  > 2002-03