Hello all,
Quick query. Has anyone written a filter for the new watchguard (v7) log formats? if not, here's some info on the new format:
All logs start with:
<?xml version="1.0" encoding="UTF-8"?>
<WGLog source="WFS">
<FWConfig d="2007-02-21T16:17:04" orig="192.168.0.1" sn="707602971257B"
tz=""/>
There seem to be two types of log entry:
<FWStatus d="2007-02-21T16:17:04" orig="192.168.0.1" proc_id="kernel[0]"
disp="deny" policy="default" src_ip="192.168.0.96" dst_ip="192.168.1.82"
pr="TCP" src_port="139" dst_port="4631" src_intf="eth1" dir="out" wgt="2009"
tcp_flags="ACK" pckt_len="48" ttl="127" ip_hdr_len="20"/>
<FWDeny d="2007-02-21T16:17:04" orig="192.168.0.1" policy="tcp" src_ip="
192.168.0.96" dst_ip="192.168.1.82" pr="TCP" src_port="139" dst_port="4631"
type="PcktFltr" dir="out" wgt="168" why="Denied_Service"/>
Log files then end with:
</WGLog>
So it looks like they're valid xml files, with fairly self explanitory keys and values. I've taken a brief look over fwanalog.sh - in particular watchguard(). is there any basic documentation out there that explains what the regexps in the function are for? - I'd be happy to write support for the new-ish format if someone doesn't mind helping me along the way?
Unless of course, someone has already added support for the new format :)
Thanks,
Dave Received on Mon Mar 19 15:56:27 2007
This archive was generated by hypermail 2.1.8 : Thu Apr 26 2007 - 00:22:03 CEST