HostedDB - Dedicated UNIX Servers
-->
Internet Security Professional Reference:How to Build a Firewall
Previous Table of Contents Next


Reporting Tools

The TIS Toolkit, configured as a firewall, logs transactions and requests processed by Toolkit applications, and records the outcome of these requests. The log file messages are recorded through the syslog daemon. The files used to save the details are listed in /etc/syslog.conf, and vary from system to system. The TIS Toolkit applications all interact with the syslog service and send logging information and status messages for the lifetime of the connection.

You can periodically peruse the log files, or use the reporting programs included with the Toolkit to search out and report usage of the firewall. Because the logging is performed using the syslogd service, the log messages observe the standard format:

Date Time hostname program[PID]: message

This format appears in the log file looking like this: 

Oct  4 02:42:14 pc ftp-gw[1763]: permit
 host=stargazer.unilabs.org/204.191.3.147  use of gateway

A wide variety of log messages can be displayed in the syslog file. Some of these are illustrated in the following output: 

cannot connect to server 198.53.64.14/110: No route to host
cannot connect to server 198.53.64.14/110: Operation timed out
cannot connect to server nis.fonorola.net/110: Connection refused
cannot connect to server nis.fonorola.net/110: Operation timed out
cannot get our port
connect host=stargazer.unilabs.org/206.116.65.2
destination=198.53.64.14/110
connect host=unknown/206.116.65.2 destination=198.53.64.14/110
connected host=pc.unilabs.org/204.191.3.150 to nds.fonorola.net
content-type= multipart/x-mixed-replace;boundary=ThisRandomString
content-type= text/html
deny host=204.191.3.150/pc.unilabs.org connect to fox.nstn.ca
deny host=pc.unilabs.org/204.191.3.150 service=ftpd
deny host=stargazer.unilabs.org/204.191.3.147 destination=sco.sco.com
deny host=unknown/206.116.65.2 service=110
disconnect host=stargazer.unilabs.org/206.116.65.2
destination=198.53.64.14/110
 in=3512 out=92 duration=8
disconnect host=unknown/206.116.65.2
destination=198.53.64.14/110 in=0 out=0
 duration=75
exit host=pc.unilabs.org/204.191.3.150 dest= in=0 out=0
exit host=pc.unilabs.org/204.191.3.150 dest= in=0 out=0 user=unauth
duration=2
exit host=pc.unilabs.org/204.191.3.150 dest=nds.fonorola.net in=35 out=21
 user=unauth duration=37
exit host=pc.unilabs.org/204.191.3.150 dest=none in=0 out=0 user=unauth
 duration=14
exit host=stargazer.unilabs.org/204.191.3.147 cmds=1 in=0 out=0
user=unauth duration=2
exit host=stargazer.unilabs.org/204.191.3.147 no auth
failed to append to file (null)
failed to connect to http server iback.gif (80)
fwtksyserr: cannot display denial-msg /usr/local/etc/tn-deny.txt: No such
file or  directory
fwtksyserr: cannot display help file /usr/local/etc/tn-help.txt: No such
 file or directory
fwtksyserr: cannot display help message /usr/local/etc/rlogin-help.txt: No
 such  file or directory
fwtksyserr: cannot display welcome /usr/local/etc/rlogin-welcome.txt: No
 such file or directory
fwtksyserr: cannot display welcome /usr/local/etc/tn-welcome.txt: No such
 file or directory
log host=stargazer.unilabs.org/206.116.65.2 protocol=HTTP cmd=dir
 dest=www.istar.ca path=/
log host=stargazer.unilabs.org/206.116.65.2 protocol=HTTP cmd=dir
 dest=iback.gif path=/
log host=stargazer.unilabs.org/206.116.65.2 protocol=HTTP cmd=get
 dest=www.nstn.ca  path=/cgi-bin/test/tide.cgi
Network connection closed during write
permit host=pc.unilabs.org/204.191.3.150 connect to 204.191.124.252
permit host=pc.unilabs.org/204.191.3.150 connect to
 chrish@nds.fonorola.net
permit host=pc.unilabs.org/204.191.3.150 use of gateway
permit host=stargazer.unilabs.org/204.191.3.147 connect to
 mail.fonorola.net
permit host=stargazer.unilabs.org/204.191.3.147 destination=204.191.3.150
permit host=stargazer.unilabs.org/204.191.3.147 service=ftpd
 execute=/usr/libexec/ ftpd
permit host=stargazer.unilabs.org/204.191.3.147 service=ftpd
 execute=/bin/cat
permit host=stargazer.unilabs.org/204.191.3.147 service=telnetd
 execute=/usr/libexec/telnetd
permit host=stargazer.unilabs.org/204.191.3.147 use of gateway
permit host=stargazer.unilabs.org/206.116.65.2 use of gateway
 (Ver p1.4 /  1)

These log messages do not represent a complete list. The only way to see a complete list of possible log messages and their exact meanings is to perform a line-by-line review of the TIS Toolkit code, and then document each item individually.

The Toolkit includes a number of reporting tools that can be used to analyze the log records saved by the syslog service. These shell scripts, listed in table 6.18, are in the fwtk/tool/admin/reporting directory.

Table 6.18
syslog Report Generating Scripts
Script Name Description
authsrv-summ.sh Summarizes auth server reports
daily-report.sh Runs the report scripts on a daily basis
deny-sum.sh Reports on denial of services
ftp-summ.sh Summarizes ftp-gw traffic
http-summ.sh Summarizes the http-gw traffic
netacl-summ.sh Summarizes netacl accesses
smap-summ.sh Summarizes smap e-mail records
tn-gw-summ.sh Summarizes tn-gw and rlogin-gw traffic
weekly-report.sh Top-level driver that calls each summary report generator

The reporting tools included in the TIS Toolkit are not installed automatically when the Toolkit applications are compiled and installed. They must be installed later by changing to the directory tools.admin.reporting and running the make install command. This copies all the files to the same directory in which the Toolkit applications were copied.


Previous Table of Contents Next