[fwAnalog] Support for new watchguard log format

From: David Hope <dave~AT~davehope.co.uk>
Date: Mon Mar 19 2007 - 15:56:25 CET


Hello all,

Quick query. Has anyone written a filter for the new watchguard (v7) log formats? if not, here's some info on the new format:

All logs start with:

<?xml version="1.0" encoding="UTF-8"?>
<WGLog source="WFS">
<FWConfig d="2007-02-21T16:17:04" orig="192.168.0.1" sn="707602971257B"
tz=""/>

There seem to be two types of log entry:

<FWStatus d="2007-02-21T16:17:04" orig="192.168.0.1" proc_id="kernel[0]"
disp="deny" policy="default" src_ip="192.168.0.96" dst_ip="192.168.1.82" pr="TCP" src_port="139" dst_port="4631" src_intf="eth1" dir="out" wgt="2009" tcp_flags="ACK" pckt_len="48" ttl="127" ip_hdr_len="20"/>

<FWDeny d="2007-02-21T16:17:04" orig="192.168.0.1" policy="tcp" src_ip="
192.168.0.96" dst_ip="192.168.1.82" pr="TCP" src_port="139" dst_port="4631" type="PcktFltr" dir="out" wgt="168" why="Denied_Service"/>

Log files then end with:

</WGLog>

So it looks like they're valid xml files, with fairly self explanitory keys and values. I've taken a brief look over fwanalog.sh - in particular watchguard(). is there any basic documentation out there that explains what the regexps in the function are for? - I'd be happy to write support for the new-ish format if someone doesn't mind helping me along the way?

Unless of course, someone has already added support for the new format :)

Thanks,

Dave Received on Mon Mar 19 15:56:27 2007

This archive was generated by hypermail 2.1.8 : Thu Apr 26 2007 - 00:22:03 CEST