Re: Log Analysis and alerting

From: Dan Mercer (damercer@mmm.com)
Date: 03/22/02 

From: damercer@mmm.com (Dan Mercer)
Date: 22 Mar 2002 17:07:22 GMT

In article <3c9b2ee1_1@news1.prserv.net>,
"Subba Rao" <sailorn@attglobal.net> writes:
> Hi
>
> I am trying setup a realtime alert system for our firewall. The
> firewall logs everything, so we have to process the logs twice
> to seperate the serious alerts. At the final stage there is still
> redundant information.
>
> For example, we want to monitor FTP, TELNET and IIS Webserver
> access attempts. For each protocol, there are several entries
> from the same host from different ports. My goal is to capture the
> first attempt (ignore the rest) and send an alert.
>
> What I am not able to do is to write the first attempt to a
> seperate log file. I plan to use swatch on this seperate log
> file to send the email alert. I am trying the following shell
> script to capture the first alert:
>
> root@log:/firewall/logs # tail -f fw1.log | awk -f alert.awk > email.log
>
> The alert.awk script is as follows:
>
> /IIS/ {
> #Get the current alert and current source IP address
> current = $3
> split($(NF-2),tmp,":")
> srcip = tmp[1]
>
> if ( attacks[$3] != srcip ) {
> print $_
> attacks[$3] = srcip
> }
> }
>
> Why does the awk script not write to the email.log?

Awk is writing to email.log, it just hasn't flushed the data
there yet. On Linux it won't until it has accumulated 4096
bytes, then it will just write the first 4096 bytes until the
next 4096 bytes are accumulated. By now you know that print $_
is incorrect. What you need to do is do the redirection within
the script:

   # cat alert.awk
   /IIS/ {
        #Get the current alert and current source IP address
        current = $3
        split($(NF-2),tmp,":")
        srcip = tmp[1]

        if ( attacks[$3] != srcip ) {
             print >> "email.log"
             close("email.log")
             attacks[$3] = srcip
        }
   }
   # tail -f fw1.log | awk -f alert.awk 

-- 
Dan Mercer
damercer@mmm.com

> 
> This is a very critical network. So, any help appreciated.
> 
> Thank you in advance.
> 
> --
> Subba Rao
> sailorn@attglobal.net
> 
> 

Opinions expressed herein are my own and may not represent those of my employer.

Relevant Pages

  • Re: Log Analysis and alerting
    ... > I am trying setup a realtime alert system for our firewall. ... > firewall logs everything, so we have to process the logs twice ... > The alert.awk script is as follows: ...
    (comp.os.linux.security)
  • Re: Log Analysis and alerting
    ... > I am trying setup a realtime alert system for our firewall. ... > firewall logs everything, so we have to process the logs twice ... > The alert.awk script is as follows: ...
    (comp.security.firewalls)
  • Re: Log Analysis and alerting
    ... > I am trying setup a realtime alert system for our firewall. ... > firewall logs everything, so we have to process the logs twice ... > The alert.awk script is as follows: ...
    (comp.security.unix)
  • RE: [fw-wiz] Netscreen email logging
    ... Steve's suggestion below ("set firewall log-self") may have been ... The Netscreen is now sending logs. ... alarm 2 minutes after the first, it will buffer that alarm and send ... "set admin mail alert" has not been set. ...
    (Firewall-Wizards)
  • Re: cracking local admin account
    ... Alert on every failed login attempt. ... You need to start with the same password on all workstations - can use ... network that don't allow domain admin to log on - they can be rogue systems. ... monitor security logs for admin login and account management events on ...
    (microsoft.public.security)