[fwAnalog] fwanalog fills my partition :: analog.err is over 4gb in size

From: Gian G. Spicuzza <gianspi~AT~gsent.org>
Date: Thu Nov 24 2005 - 04:12:39 CET


Hello. My /var partition is 5GB. I setup a server and installed fwanalog and had it parse my firewall logs every 5 hours. It worked great, but in 2 days flat my partition was filled up. analog.err was over 4GB in size. Did I make a mistake in my config? Thank you for any help. Here is my config file:  

#!/bin/sh

###########################################################################

#

# User-changeable options for fwanalog.sh

#

# $Id: fwanalog.opts.linux24,v 1.17 2003/11/25 17:11:31 bb Exp $

#

###########################################################################

outdir="/var/www/htdocs/firewall"

# The directory where the output goes to, without / at the end. You need
write

# permissions, of course, and should secure this directory with permissions,

# minefields, guard dogs etc. It will be created if you don`t have it yet.

logformat="iptables"

# What log format your firewall writes.

# Currently available options:

# iptables Linux 2.4 iptables (probably in
/var/log/messages)

# ipchains Linux 2.2 ipchains (probably in
/var/log/messages)

# ipf BSD/Solaris ipfilter (probably in
/var/log/ipflog)

# openbsd this was the same as ipf until OpenBSD 2.9; this
also

# seems to work on NetBSD

# freebsd FreeBSD`s output format (probably in
/var/log/ipflog)

# solarisipf Solaris 8.0 Intel ipf 3.4.20 (using ipmon -sn &)

# pf_30 OpenBSD 3.0 pf binary log format

# fwanalog *must* run on OpenBSD 3.0
for this to work

# (because of the special tcpdump of
OpenBSD)

# zynos ZyNOS (ZyXEL, Netgear) logfile

# pix Cisco Pix (tested with version 6.22/IOS)

# watchguard Watchguard Firebox

# fw1 Checkpoint Firewall-One (not fw-1 NG!)

# Feel free to program a parser for your firewall if it is not supported.

# See the comments in iptables() and ipf()

#

# The officially maintained formats are pf_30 and iptables.

inputfiles_mask="messages*" # The name of your logfiles, with a wildcard if you want

inputfiles_dir="/var/log" # The directory where your logfiles are in,

                                                        # e.g.
/var/log

inputfiles_mtime="31" # How old the logfiles can be

# You can change this to your log rotate interval + 1 day (so you never miss
a logfile entry)

inputfiles=`find $inputfiles_dir -maxdepth 1 -name "$inputfiles_mask" -mtime -$inputfiles_mtime | sort -r`

# This should find the names of the logfiles you want to parse

# It MUST return the names in reverse order (chronologically) or you

# will have LOTS of duplicate lines in your log.

onehost=false

# Available options: false true dynip

# Default: false

# Set to true if this firewall runs on one machine only and you want to see

# the source hosts (not the protected target hosts) in the Blocked Packet

# Report. This is suggested if you protect one server, but loses information

# if you protect a network.

# Set to "dynip" if your firewall has a dynamic IP address.

# After changing onehost, you must delete everything in $outdir!

sep_hosts=true

# Set to true if you want fwanalog to create a separate, additional report
for

# each attacking host IP.

# WARNING: this can run for hours using 100 % CPU and consume lots of hard

# disk space (up to 25 kB per host) so you can easily fill up your server if

# too many packets from different hosts were blocked.

# Also, this makes only limited sense with onehost mode set to true.

# If you set this option after having used fwanalog, some hosts won`t be

# linked in the report. You can create a report for a host with the

# "-a <IP-address>" command line option.

sep_packets=true

# Like sep_hosts, but for blocked packets.

# The corresponding command line option is "-p <packet>"

# Program invocations - add path if needed

analog="analog"

# Full pathname if you need, or "nice analog" if you want to de-priorize it

date="date" # should be GNU date or one which can print the timezone.

                                # see "timezone" below

grep="grep" # should be GNU grep

egrep="egrep" # should be GNU egrep

zegrep="zegrep" # this is just a shellscript on most systems. If you don`t

                                # have it, copy it from another
Unix-lookalike.

gzcat="zcat" # needed only on OpenBSD 3.x

sed="sed"

perl="perl"

tcpdump="tcpdump" # needed only on OpenBSD 3.x

timezone=`$date +%z`

# Which timezone the server is in. Correct if the server fwanalog runs on

# is not in the timezone the firewall is in.

# The %z option of date is supported on GNU/Linux and OpenBSD,

# but apparently NOT on FreeBSD so you will have to insert your

# timezone difference (e.g. -0500) yourself or use GNU date.


   

Thank you,  

Gian G. Spicuzza Received on Thu Nov 24 04:12:33 2005

This archive was generated by hypermail 2.1.8 : Thu Nov 24 2005 - 04:42:04 CET