[Logwatch-Devel] Cisco filter - ICMP filters?

Stuart Swindells stuart.swindells at zen.co.uk
Sat Dec 18 08:21:30 MST 2004


I've been playing with the Cisco filter that was installed with logwatch
5.2.2 (installed by apt on Debian Sarge), to try to get it to do some kind
of aggregation with log entries gathered with Syslog, from my Cisco 837 ADSL
router, for ICMP, for example:

Dec 18 15:14:13 cisco 969125: 969122: Dec 18 15:13:17.575 UTC:
%IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req [82.69.156.122:0 ->
195.149.21.11:0]

Dec 18 15:14:13 cisco 969128: 969125: Dec 18 15:13:17.599 UTC:
%IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [195.149.21.11:0 ->
82.69.156.122:0]

Dec 18 15:11:27 cisco 969014: 969011: Dec 18 15:10:31.715 UTC:
%IPS-4-SIGNATURE: Sig:2001 Subsig:0 Sev:2 ICMP Unreachable [82.69.156.122:0
-> 61.185.28.41:0]

 

The addition I made to /usr/share/logwatch/scripts/services/cisco was:

   elsif ( ($interface) = ($ThisLine =~ /ICMP Echo Req: (.*)/) ) {

      $ICMP_Echo_Req{$host}{$interface}++;

   }

   elsif ( ($interface) = ($ThisLine =~ /ICMP Echo Rply: (.*)/) ) {

      $ICMP_Echo_Rep{$host}{$interface}++;

   }

 

Along with:

if (keys %ICMP_Echo_Req) {

   print "\nICMP Echo Request on device :\n";

   foreach $ThisOne (keys %ICMP_Echo_Req) {

      print "   " . $ThisOne . ":\n";

      foreach $ThatOne (keys %{$ICMP_Echo_Req{$ThisOne}}) {

         print "\t " .$ThatOne . "\t: " . $ICMP_Echo_Req{$ThisOne}{$ThatOne}
. " Time(s)\n";

      }

   }

}

 

if (keys %ICMP_Echo_Rep) {

   print "\nICMP Echo Reply on device :\n";

   foreach $ThisOne (keys %ICMP_Echo_Rep) {

      print "   " . $ThisOne . ":\n";

      foreach $ThatOne (keys %{$ICMP_Echo_Rep{$ThisOne}}) {

         print "\t " .$ThatOne . "\t: " . $ICMP_Echo_Rep{$ThisOne}{$ThatOne}
. " Time(s)\n";

      }

   }

}

 

But this doesn't work though I could've sworn it did previously, though
possible with a different regex - in which case which regex would be
appropriate to use?

Indeed, would there be a more appropriate way of grouping the log entries -
the above grouped by both destination and source when it worked, and I think
all that's different from the way it was set up was the "ICMP Echo Req" and
"ICMP Echo Rply" that there was before.

 

Thanks,

Stuart Swindells

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.kaybee.org/pipermail/logwatch-devel/attachments/20041218/1d07f4c8/attachment.htm


More information about the Logwatch-Devel mailing list