[Logwatch] Date ranges, iptables filter

Kenneth Porter shiva@sewingwitch.com
18 May 2002 01:03:25 -0700


Just ran across DShield, the "distributed intrusion detection system",
at http://www.dshield.org/. This is a central firewall log aggregation
system that collects emailed firewall logs of various types. (I saw it
mentioned in the netfilter list while looking for any mention of
Perl-based iptables parsers.)

Of interest to Logwatch developers is the GPL'd "framework" client used
to collect Linux firewall logs. It includes Perl code to parse iptables
logs and code to match date/time ranges in log files, both of which are
missing from the current Logwatch.

The iptables parser has a pretty good filter mechanism to include or
exclude addresses, ports, or log lines matching a regex.

The date range system breaks down lines to the second for purposes of
identifying which lines were not processed on a previous run. This
should be easily adaptable to Logwatch, allowing "Yesterday" to really
mean the last 24 hours, independent of what time the scan is made.