System Log Filtering

When the firewall boots, it runs a program called logwatch, which constantly monitors the system log and takes various actions depending on the log messages that it encounters. The behaviour of logwatch is defined by means of a number of `log filters', which can be set up in the Log Filters Setup Screen (Figure 4.55).

  

Figure 4.55: The Log Filter Setup Screen

The fields in this screen are:

Pattern

The pattern to look for in the log messages. The patterns are UNIX-style regular expressions. Use the command `man regexp' for help on regular expressions if you are unfamiliar with them.

Occurring more than

These fields let you enter a repeat count and time interval. The action will only take place if more than this number of matches occurs within the specified interval.

Between

You can restrict a log filter to a particular time range if desired, by entering the start time and end time in these two fields. The start and end times are expressed in `HH:MM' format; you cannot use named time classes.

Kilobytes in and out greater than

This only applies to log messages produced when a connection is closed. The `in' and `out' fields of such messages are added together and the action is only taken if the total exceeds the amount specified here.

Echo

Whether matching messages should be echoed to the system console, and, if so, what screen attributes should be used.

Beeps

Whether matching messages should cause the firewall to beep the speaker, and how many beeps should be issued.

Print

Whether matching messages should be echoed to the printer, if one is configured;

Mail

Whether matching messages should be mailed to the address specified in the Set Up System Logging Screen;

Shut Down Interface

Whether a matching message should cause the external interface of the firewall to be disabled.

Send Message

Whether a matching message should be sent to your pager or GSM cellular phone using the configured message service.

Shut Down Firewall

Whether a matching message should cause the firewall to shut itself down.

Add Packet Filter

Whether a matching message should cause a new IP packet filter to be added to the set of custom packet filters to block further access from the offending host. Note that packet filters do not affect the transparent gateway, so this is only useful if the log message is produced by a firewall component other than transparent gatewaying.

IP Field Number

When adding a packet filter, the firewall extracts the IP address of the offending host from one of the fields in the log message. This setting determines which field of the log message is used. Each whitespace-separated character sequence in the log message is considered a separate field.

Custom Script

This can be used to add your own custom actions. You can write your own UNIX shell scripts to handle a log message match; the script will be passed the (quoted) log message as the last argument.

As an example of how log messages are split into fields for reference by the IP field number when adding packet filters, consider the log message:

    May  7 14:52:48 citadel logwww[3902]: http: Denied gram@gram/192.168.1.2
	    the use of the http service: User authentication callback failed

The first nine fields are:

Number	Text
1	May
2	7
3	14:52:48
4	citadel
5	logwww[3902]:
6	http:
7	Denied
8	gram@gram/192.168.1.2
9	the

For such a message, the `IP Field Number' would be field 8.

The following functions are available from this screen:

F1

Discard the changes and return to the Setup Screen

F2

Show the previous page of log filter entries

F3

Show the next page of log filter entries

F4

Clear all entries and restore the defaults

F5

Insert an entry at the current row

F6

Delete the entry at the current row

F7

View help

F8

Record the changes and return to the Setup Screen

Setting up good log filters takes time and experience. You need to spend a while becoming familiar with the format of system log messages generated by the various components of the firewall before you can use log filters effectively. Because of this, the screen allows you to load a default set of log filters by pressing F4. This default set only echoes messages to the console, but uses different screen attributes for different types of messages. It is adequate for most purposes.

If you add your own filters, do so with care - especially if the action is to shut down the firewall. You should never specify this action if the same log message will be generated after a reboot, or the firewall will simply continuously reboot. In this case, you will have to boot the firewall into single-user mode (by specifying `-s' at the boot prompt), fix the problem that is causing the log message, and then complete the boot process.

The firewall includes a script, `/usr/local/bin/popup', which will send a NetBIOS WinPopup request to a specified host using the SAMBA client. This can be a very useful choice for a custom action. For example, if you have Microsoft Windows host with the NetBIOS name `NTserver', then you can get the log message to pop up on that machine's display by entering `popup' as the custom action after specifying `NTserver' as the Popup Host in the Log Setup Screen.