Indeed, I came across my error in using the '-n' option after trying to debug the application myself. No it's not the default.:) It was then that I noticed that the perl regexp is assuming a numeric IP and port.
I corrected the problem, and have basically started from scratch now.
Also, I run a fairly high volume network, and newsyslog was swapping out the logs every hour on me :) So I increased the count so I have a full 24 hours of logs stored. After that I run out of drive space :(
My problem now seems to be that the reporting generated is very inconsistent, and seems to produce many errors when analog parses the log files. In fact, it only seems to parse out 2 minutes worth of logging information.
Also, I'm not sure what the time zone setting is supposed to be. This is an output from my NetBSD machine:
# date +%z
# date +%Z
But I assume that the string CDT is useless to the program. So I set the timezone option to what appears on my Linux box with the date +%z function "-0500".
Is this what you intended? There must be a better way to automatically set this at execute time.
And why on earth am I only getting 2 minutes of log files parsed????
Thanks for the reply!!!
>Date: Sat, 11 Aug 2001 09:23:50 +0200
>From: =?iso-8859-1?Q?Bal=E1zs_B=E1r=E1ny?= <balazs~AT~tud.at>
>Subject: Re: [fwAnalog] NetBSD
>* Steve Witucke <steve~AT~iosys.net> [2001-08-08 04:19]:
>> Aug 7 20:35:11 wormhole ipmon: 20:35:06.266243 2x rtk1
>> ~AT~138:1 b xxx.xxx.xxx.xxx,www -> xxx.xxx.xxx.xxx,16793 PR tcp len 20 56325
>> -A 194209914 3141330721 17339 IN
>The only relevant difference to an OpenBSD log I see is the ",www" port.
>Everything else (ipf, ipchains, iptables) logs the port number numerically.
>So the regexps assume that port numbers are \d+ (numeric).
>There are two options:
>- Don't call ipmon with "-n"
>- Change the '?(\d*)'-s in line 279 (under 7 and 9) of fwanalog.sh to
> '?(\w*)' so fwanalog accepts letters on this position.
>I think the first way is better as Analog does a better job resolving IP
>addresses and port numbers (using the nmap config) than your kernel.
>(Resolving IPs shouldn't be the job of a firewall, anyway.)
>What is the default setting on NetBSD? -n or not?
>This was the only problem I've found, aside from that, the OpenBSD parser
>Please delete everything from the $outdir before you try it again, and make
>sure that you only give ipflogs to fwanalog which were created without "-n".
>I hope this helps
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 22:22:04 CEST