"Taylor Robison" <trobisat_private> wrote: > I am trying to understand some iptables logs and am a little confused by > the content. > > I'm afraid it is not obvious to me WHY a log message is significant. You have to set iptables to log in the first place, so YOU have to determine the significance. One of the choices is what/whether to log particular items, how much to log, etc. > From the log statment, I can't take a look at it an instantly see > whether I should be worried or not. There is nothing that jumps out at > me to tell me that the message was logged because a jerk spoofed his > IP...or sent nasty headers. That will depend on the rule you created. If you create on to detect spoofing, that's what you'll get. More on how to differentiate below... > Things I would like to be able to determine are: > was the packet dropped, accepted or denied? > what rule was violated? > what about the connection cause the rule to be violated? Give some thought about the iptables rules you're setting up, and use the features (man iptables) provided for this sort of thing. In particular, the --log-prefix option looks promising: --log-prefix prefix Prefix log messages with the specified prefix; up to 29 letters long, and useful for distinguishing messages in the logs. > Perhaps the answer is that I should use a commercial firewall if I want > that kind of information? I find that answer unpleasant and hope its > not the case. It sounds (to me) like you need two things: 1. Rules defined to log only "interesting" traffic, and options to distinguish among different types of "interesting" traffic. 2. A good reporting tool to analyze and summarize log entries in a meaningful manner (assuming you're not monitoring in real-time for this exercise). There are several summary programs, or you can roll your own (perl comes to mind). syslog entries can be tedious to pore through if you just look at them in sequence. I'm looking for the 'perfect' reporting tool myself, and thus my subscription to this list! (Any pointers appreciated) 3. (with apologies to Monty Python) Possibly syslog-ng to help log different categories of events to different log files (optional and arguable). > I suppose there is an M out there I should be RTFing....perhaps someone > would be kind enough to point me in the right direction? man iptables :) - Bob (new to the list) _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 06:09:16 PDT