Tuesday, July 08, 2008

Script that parses FW logs?

What I'm trying to do now is create a script that will parse FW logs daily and break down how many entries each IP generated.

I want to do this first as a quick command, then leverage BASH scripting to automate this.

What I used in http://slackfiles.blogspot.com/2007/12/modsecurity-again.html apparently isn't working when trying to parse the firewall logs. I don't get it, but then again, I'm tired. I'll try again tomorrow.

The new logs look like the below (showing in /var/log/syslog instead of /var/log/messages of my old setup):

Jul 8 22:55:19 starchild kernel: BLOCKED: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:0c:db:fc:8b:59:08:00 SRC=64.47.32.59 DST=64.62.231.220 LEN=48 TOS=0x00 PREC=0x00 TTL=249 ID=39747 DF PROTO=TCP SPT=3405 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0


I may need to leverage Awk (I was close to doing this before I upgraded the server from v9.0 to v12.0).

Stay tuned!