[logs] firewall reporting method

From: shawn reed (shwn_rd@private)
Date: Tue Sep 21 2004 - 06:03:56 PDT

>From the information I've gathered in this mailing list, I've put together a plan for reporting on firewall logs. Thank you for your contributions. The "[logs] most popular reports...?" thread was especially useful. I have summarized my method below for feedback, flaws, suggestions, etc.
1. Export daily logs from firewall to reporting machine

2. Extract "date, time, action, src, dst, dst_port, src_port" fields from log and dump into mysql database.

3. Run the following monthly reports by using queries from the database (dump data from mysql and manually create  graphs etc. in Excel)
 -  plot of incoming activity by day
 -  pie chart showing incoming services (ie. http, smtp, etc.)
 -  list of top incoming destinations
 -  list of top probed ports and their associated vulnerabilities (packets dropped at firewall)
 -  list of top probed servers
 -  pie chart of outgoing services
 -  Top 5 outgoing connections (ie. most occurances where src, dst, dst_port are the same)

The report is produced monthly and mainly intened for high-level profile of traffic through the firewall.

Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!

LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Tue Sep 21 2004 - 06:58:50 PDT