the project is located here: http://fwlogwatch.inside-security.de/ and I installed the Debian version via apt-get. The firewall logs are written by apf-firewall. After checking out every option in its config file this is a sample report I am getting but I really only want a summary but I can't seem to get it right. I.e. look at the first entries, they look identical. I'd love to get those summarized. I can post my config file here if needed. Code: fwlogwatch summary Generated Friday March 23 10:13:28 CET 2012 by root. 1775 (and 137 older than 86400 seconds) of 39649 entries in 2 input files are packet logs, 1775 have unique characteristics. First packet log entry: Mar 22 10:18:14, last: Jan 01 01:00:00. All entries were logged by the same host: "h1870666". All entries have the same target: "-". Only the top 50 entries are shown. # chain interface proto source hostname destination hostname port service opts 1 [81018.503995] ** SDROP ** tcp 85.214.229.212 h1870666.stratoserver.net 31.184.242.127 - 80 www SYN 1 [81021.536094] ** SDROP ** tcp 85.214.229.212 h1870666.stratoserver.net 31.184.242.127 - 80 www SYN 1 [81047.626337] ** SDROP ** tcp 85.214.229.212 h1870666.stratoserver.net 31.184.242.127 - 80 www SYN 1 [81050.660093] ** SDROP ** tcp 85.214.229.212 h1870666.stratoserver.net 31.184.242.127 - 80 www SYN 1 [81134.093213] ** SDROP ** tcp 85.214.229.212 h1870666.stratoserver.net 31.184.242.127 - 80 www SYN 1 [81137.124093] ** SDROP ** tcp 85.214.229.212 h1870666.stratoserver.net 31.184.242.127 - 80 www SYN 1 [81524.648020] ** IN_TCP DROP ** eth0 tcp 74.118.195.188 tibiaredbot.com.br 85.214.229.212 h1870666.stratoserver.net 8752 - sa---- 1 [81895.986463] ** IDENT ** eth0 tcp 196.41.124.211 cpanel.cybersmart.co.za 85.214.229.212 h1870666.stratoserver.net 113 auth SYN 1 [82011.656911] ** SDROP ** tcp 85.214.229.212 h1870666.stratoserver.net 31.184.242.127 - 80 www SYN 1 [82014.688094] ** SDROP ** tcp 85.214.229.212 h1870666.stratoserver.net 31.184.242.127 - 80 www SYN 1 [82213.123923] ** SDROP ** tcp 85.214.229.212 h1870666.stratoserver.net 31.184.242.127 - 80 www SYN 1 [82216.156096] ** SDROP ** tcp 85.214.229.212 h1870666.stratoserver.net 31.184.242.127 - 80 www SYN
one step ahead right now, managed a little bit of summarization but not quite there. have a look. Why wouldn't the first two and the second two lines be combined?
