The number of system log messages generated by a busy firewall can be prohibitively large. The firewall provides some facilities to assist in gathering information from the system log files. These are accessible from the System Log Facilities Screen (Figure 5.1).
This screen has a number of subscreens for performing different actions upon the system log, namely:
You can optionally specify a start and end date and time range to constrain the actions to a range of log messages. By default these will be set to the current day. You can enter a range on this screen, and the values entered will be carried over to the various subscreens; however, you can also modify the dates and times in the subscreens, so you need not necessarily do it in this screen.
Pressing F1 will bring up the View Logs Screen (Figure 5.2). Apart from a date and time range, this screen lets you enter a string of characters to further constrain the set of messages; only messages containing the string will be displayed. Pressing F1 (Create) will result in the log messages being displayed on the screen, at which point you can choose to print or mail the results if you wish.
You can also enter a file name, in which case the results will be saved to this file in addition to being displayed on the screen.
F2 brings up the Log Reports Screen (Figure 5.3). This screen lets you specify the type of report you want produced, as well as how the information should be sorted. You can also constrain the information by specifying up to four strings which must match specified attributes, such as the user, the service, the destination host, and so on (the attribute to be matched is set by modifying the toggle field to the left of each string). Substring matching is used for these constraints. Some of these constraints only make sense in the context of specific report types; for example, if you specify a FTP file constraint, then this only affects an FTP summary report. You can also enter a file name, in which case the results will be saved to this file in addition to being displayed on the screen.
F3 brings up the Log Message Graphs Screen (Figure 5.4). This screen lets you generate a scatter plot of log message incidences, or a line graph depicting the number of log messages that occurred in each time period. The latter can be collated and plotted by time of day, day of week, or day of year. Day of year is usually the most sensible choice, unless the date/time range falls within a single day, in which case time of day collation will give a more detailed view. You can also restrict the log messages that are graphed by entering a string which must be matched. Log message incidence scatter plots are particularly useful for detecting time ranges during which a large amount of logging took place. You can use this to isolate portions of the system log which may require further inspection (for example, a burst of log messages containing the string `Denied' may indicate a time period during which an attempt at breaking in to the firewall occurred).
You can also enter a file name in which case the results will be saved to this file in addition to being displayed on the screen.
F4 brings up the Log Traffic Graphs Screen (Figure 5.5). This screen lets you generate plots of traffic levels or bandwidth utilisation (traffic level divided by time). You can enter multiple restrictions, as with the Log Reports Screen, and specify how the information should be collated and plotted (as with the Log Message Graphs Screen. The graphs can be output as crude ASCII text graphics, viewable on a text terminal, or as encapsulated PostScript files, which can be printed or incorporated in other documents. You can also enter a file name, in which case the results will be saved to this file in addition to being displayed on the screen.
System log graphs are produced in batch mode by the gnuplot plotting program.
F5 brings up the Export Traffic Data Screen (Figure 5.6). This screen lets you generate a flat ASCII file containing the important fields of log messages generated upon connection closes, separated by a user-defined field separator. The aim is to allow the data to be imported or processed by other programs if desired. You can enter multiple restrictions, as with the Log Reports Screen, to constrain which messages are exported. You can also enter a file name, in which case the results will be saved to this file in addition to being displayed on the screen.
The fields produced are, in order:
The graphs produced by gnuplot are crude but useful. For example, Figure 5.7 shows a sample log activity scatter plot. This plot gives a good visual overview of areas of heavy log activity, which could be caused by system overload, misbehaviour, or attempts at break ins. By combining the plots with the filter text string, you can plot the incidence of various events such as reboots or service denials.
These facilities can also be accessed using a normal WWW browser, via the special CEQURUX webadmin service (see Section 5.5). The various actions are carried out using the report program on the firewall. This program offers a large number of options that can be specified on the command line; using the webadmin or fwadmin front ends constrains you to a subset of its possible functions. If you find that fwadmin or the webadmin service do not allow you the power you need, you may wish to master the use of report. You can run report -? to get help on this program.
![\includegraphics[width=14cm,height=10cm]{proclog.ps}](img91.png)
![\includegraphics[width=14cm,height=10cm]{logview.ps}](img92.png)
![\includegraphics[width=14cm,height=10cm]{logrep.ps}](img93.png)
![\includegraphics[width=14cm,height=10cm]{logmgraf.ps}](img94.png)
![\includegraphics[width=14cm,height=10cm]{logtgraf.ps}](img95.png)
![\includegraphics[width=14cm,height=10cm]{logexp.ps}](img96.png)
![\includegraphics[width=14cm,height=10cm]{logplot.ps}](img97.png)