|
Previous | Table of Contents | Next |
The TIS Toolkit, configured as a firewall, logs transactions and requests processed by Toolkit applications, and records the outcome of these requests. The log file messages are recorded through the syslog daemon. The files used to save the details are listed in /etc/syslog.conf, and vary from system to system. The TIS Toolkit applications all interact with the syslog service and send logging information and status messages for the lifetime of the connection.
You can periodically peruse the log files, or use the reporting programs included with the Toolkit to search out and report usage of the firewall. Because the logging is performed using the syslogd service, the log messages observe the standard format:
Date Time hostname program[PID]: message
This format appears in the log file looking like this:
Oct 4 02:42:14 pc ftp-gw[1763]: permit host=stargazer.unilabs.org/204.191.3.147 use of gateway
A wide variety of log messages can be displayed in the syslog file. Some of these are illustrated in the following output:
cannot connect to server 198.53.64.14/110: No route to host cannot connect to server 198.53.64.14/110: Operation timed out cannot connect to server nis.fonorola.net/110: Connection refused cannot connect to server nis.fonorola.net/110: Operation timed out cannot get our port connect host=stargazer.unilabs.org/206.116.65.2 destination=198.53.64.14/110 connect host=unknown/206.116.65.2 destination=198.53.64.14/110 connected host=pc.unilabs.org/204.191.3.150 to nds.fonorola.net content-type= multipart/x-mixed-replace;boundary=ThisRandomString content-type= text/html deny host=204.191.3.150/pc.unilabs.org connect to fox.nstn.ca deny host=pc.unilabs.org/204.191.3.150 service=ftpd deny host=stargazer.unilabs.org/204.191.3.147 destination=sco.sco.com deny host=unknown/206.116.65.2 service=110 disconnect host=stargazer.unilabs.org/206.116.65.2 destination=198.53.64.14/110 in=3512 out=92 duration=8 disconnect host=unknown/206.116.65.2 destination=198.53.64.14/110 in=0 out=0 duration=75 exit host=pc.unilabs.org/204.191.3.150 dest= in=0 out=0 exit host=pc.unilabs.org/204.191.3.150 dest= in=0 out=0 user=unauth duration=2 exit host=pc.unilabs.org/204.191.3.150 dest=nds.fonorola.net in=35 out=21 user=unauth duration=37 exit host=pc.unilabs.org/204.191.3.150 dest=none in=0 out=0 user=unauth duration=14 exit host=stargazer.unilabs.org/204.191.3.147 cmds=1 in=0 out=0 user=unauth duration=2 exit host=stargazer.unilabs.org/204.191.3.147 no auth failed to append to file (null) failed to connect to http server iback.gif (80) fwtksyserr: cannot display denial-msg /usr/local/etc/tn-deny.txt: No such file or directory fwtksyserr: cannot display help file /usr/local/etc/tn-help.txt: No such file or directory fwtksyserr: cannot display help message /usr/local/etc/rlogin-help.txt: No such file or directory fwtksyserr: cannot display welcome /usr/local/etc/rlogin-welcome.txt: No such file or directory fwtksyserr: cannot display welcome /usr/local/etc/tn-welcome.txt: No such file or directory log host=stargazer.unilabs.org/206.116.65.2 protocol=HTTP cmd=dir dest=www.istar.ca path=/ log host=stargazer.unilabs.org/206.116.65.2 protocol=HTTP cmd=dir dest=iback.gif path=/ log host=stargazer.unilabs.org/206.116.65.2 protocol=HTTP cmd=get dest=www.nstn.ca path=/cgi-bin/test/tide.cgi Network connection closed during write permit host=pc.unilabs.org/204.191.3.150 connect to 204.191.124.252 permit host=pc.unilabs.org/204.191.3.150 connect to chrish@nds.fonorola.net permit host=pc.unilabs.org/204.191.3.150 use of gateway permit host=stargazer.unilabs.org/204.191.3.147 connect to mail.fonorola.net permit host=stargazer.unilabs.org/204.191.3.147 destination=204.191.3.150 permit host=stargazer.unilabs.org/204.191.3.147 service=ftpd execute=/usr/libexec/ ftpd permit host=stargazer.unilabs.org/204.191.3.147 service=ftpd execute=/bin/cat permit host=stargazer.unilabs.org/204.191.3.147 service=telnetd execute=/usr/libexec/telnetd permit host=stargazer.unilabs.org/204.191.3.147 use of gateway permit host=stargazer.unilabs.org/206.116.65.2 use of gateway (Ver p1.4 / 1)
These log messages do not represent a complete list. The only way to see a complete list of possible log messages and their exact meanings is to perform a line-by-line review of the TIS Toolkit code, and then document each item individually.
The Toolkit includes a number of reporting tools that can be used to analyze the log records saved by the syslog service. These shell scripts, listed in table 6.18, are in the fwtk/tool/admin/reporting directory.
Script Name | Description |
---|---|
authsrv-summ.sh | Summarizes auth server reports |
daily-report.sh | Runs the report scripts on a daily basis |
deny-sum.sh | Reports on denial of services |
ftp-summ.sh | Summarizes ftp-gw traffic |
http-summ.sh | Summarizes the http-gw traffic |
netacl-summ.sh | Summarizes netacl accesses |
smap-summ.sh | Summarizes smap e-mail records |
tn-gw-summ.sh | Summarizes tn-gw and rlogin-gw traffic |
weekly-report.sh | Top-level driver that calls each summary report generator |
The reporting tools included in the TIS Toolkit are not installed automatically when the Toolkit applications are compiled and installed. They must be installed later by changing to the directory tools.admin.reporting and running the make install command. This copies all the files to the same directory in which the Toolkit applications were copied.
Previous | Table of Contents | Next |