I would suggest you check the content of you error log for clue.
Hello. My /var partition is 5GB. I setup a server and installed fwanalog and had it parse my firewall logs every 5 hours. It worked great, but in 2 days flat my partition was filled up. analog.err was over 4GB in size. Did I make a mistake in my config? Thank you for any help. Here is my config file:
#!/bin/sh
###########################################################################
#
# User-changeable options for fwanalog.sh
#
# $Id: fwanalog.opts.linux24,v 1.17 2003/11/25 17:11:31 bb Exp $
#
###########################################################################
outdir="/var/www/htdocs/firewall"
# The directory where the output goes to, without / at the end. You need write
# permissions, of course, and should secure this directory with permissions,
# minefields, guard dogs etc. It will be created if you don`t have it yet.
logformat="iptables"
# What log format your firewall writes.
# Currently available options:
# iptables Linux 2.4 iptables (probably in /var/log/messages)
# ipchains Linux 2.2 ipchains (probably in /var/log/messages)
# ipf BSD/Solaris ipfilter (probably in /var/log/ipflog)
# openbsd this was the same as ipf until OpenBSD 2.9; this also
# seems to work on NetBSD
# freebsd FreeBSD`s output format (probably in /var/log/ipflog)
# solarisipf Solaris 8.0 Intel ipf 3.4.20 (using ipmon -sn &)
# pf_30 OpenBSD 3.0 pf binary log format
# fwanalog *must* run on OpenBSD 3.0 for this to work
# (because of the special tcpdump of OpenBSD)
# zynos ZyNOS (ZyXEL, Netgear) logfile
# pix Cisco Pix (tested with version 6.22/IOS)
# watchguard Watchguard Firebox
# fw1 Checkpoint Firewall-One (not fw-1 NG!)
# Feel free to program a parser for your firewall if it is not supported.
# See the comments in iptables() and ipf()
#
# The officially maintained formats are pf_30 and iptables.
inputfiles_mask="messages*" # The name of your logfiles, with a wildcard if you want inputfiles_dir="/var/log" # The directory where your logfiles are in, # e.g. /var/log inputfiles_mtime="31" # How old the logfiles can be
onehost=false
# Available options: false true dynip
# Default: false
# Set to true if this firewall runs on one machine only and you want to see
# the source hosts (not the protected target hosts) in the Blocked Packet
# Report. This is suggested if you protect one server, but loses information
# if you protect a network.
# Set to "dynip" if your firewall has a dynamic IP address.
# After changing onehost, you must delete everything in $outdir!
sep_hosts=true
# Set to true if you want fwanalog to create a separate, additional report for
# each attacking host IP.
# WARNING: this can run for hours using 100 % CPU and consume lots of hard
# disk space (up to 25 kB per host) so you can easily fill up your server if
# too many packets from different hosts were blocked.
# Also, this makes only limited sense with onehost mode set to true.
# If you set this option after having used fwanalog, some hosts won`t be
# linked in the report. You can create a report for a host with the
# "-a <IP-address>" command line option.
sep_packets=true
# Like sep_hosts, but for blocked packets.
# The corresponding command line option is "-p <packet>"
# Program invocations - add path if needed
analog="analog"
# Full pathname if you need, or "nice analog" if you want to de-priorize it
date="date" # should be GNU date or one which can print the timezone. # see "timezone" below grep="grep" # should be GNU grep egrep="egrep" # should be GNU egrep zegrep="zegrep" # this is just a shellscript on most systems. If you don`t # have it, copy it from another Unix-lookalike. gzcat="zcat" # needed only on OpenBSD 3.xsed="sed"
timezone=`$date +%z`
# Which timezone the server is in. Correct if the server fwanalog runs on
# is not in the timezone the firewall is in.
# The %z option of date is supported on GNU/Linux and OpenBSD,
# but apparently NOT on FreeBSD so you will have to insert your
# timezone difference (e.g. -0500) yourself or use GNU date.------------------- Thank you, Gian G. Spicuzza
This archive was generated by hypermail 2.1.8 : Mon Jan 23 2006 - 15:22:06 CET