1Configuring the firewall for fwanalog
2=====================================
3- Make sure that each dropped packet is logged, only dropped packets are
4  logged (however, some firewalls log this info, so fwanalog can
5  distinguish them itself), and each packet is only logged once. (If you
6  like precise statistics, that is.)
7  Note: The lines "last line repeated X times" in some logfiles are NOT
8  processed by fwanalog. I know that this leads to lower numbers of
9  blocked packets but can't really do anything about it - it would be
10  too hard to parse this with shellscript only. I don't think that this
11  is a huge problem because if a host sends you the same packet so
12  quickly it will stand out in the logs anyway.
13
14- It is a good idea to use "--log-prefix some_info_about_the_block" with
15  iptables. Because of a limitation in Analog's username parsing, you
16  can't use spaces in the log prefix. (You *can* use them but fwanalog
17  will only use them until the first space. So "bad in" and "bad out"
18  become "bad". Use "bad_in" and "bad_out".)
19
20  (Does another firewall support this? I would gladly include this
21  feature for the other ones.)
22
23- Some versions of ipf offer to resolve IP addresses and port numbers to
24  hostnames and service names. You shouldn't do this with fwanalog
25  because analog can do it better (and fwanalog won't work at all with
26  such logs because it expects IP addresses and numeric port names).
27
28Alternative syslog implementations
29==================================
30There some alternatives to the good old syslog and they have possibly
31differing log formats.
32Fwanalog doesn't support those by default because that would mean supporting X
33different firewall formats multiplied by Y syslog formats and the result would
34be entirely unmaintable.
35Here are a few hints on what you can do.
36
37- Metalog: One colon (:) before the log message is missing. Find this colon in
38  the regular expression of your firewall function, or pre-process your logs
39  and add the colon on the right place.
40
41How to setup syslog on a NETGEAR or ZyXEL Internet Gateway Router's ZyNOS
42=========================================================================
43
44By Matt Christian <mattc@visi.com>
45Version 1.1
46
47The below instructions assume that you are familiar with telnet and making
48some Unix configuration changes.  If you aren't then you may want to ask
49a knowledgeable friend for help.
50
511. Telnet into your router (default: 192.168.0.1 or 192.168.1.1)
52  $ telnet 192.168.0.1
53
542. Login using your password (default: 1234)
55  Password: ****
56
573. Navigate the following menus (type in the number and press enter/return)
58  "24. System Maintenance" -> "3. Log and Trace" -> "2. UNIX Syslog"
59
604. You should see a menu similar to example below:
61
62                 Menu 24.3.2 - System Maintenance - UNIX Syslog
63
64                    Syslog:
65                    Active= No
66                    Syslog IP Address=
67                    Log Facility= Local 1
68
69                    Types:
70                    CDR= No
71                    Packet triggered= No
72
73                    Filter log= No
74                    PPP log= No
75
765. Set the following information (follow prompts at bottom of screen)
77   Active = Yes, Syslog IP Address = fwAnalog machine,
78   Log Facility = your choice, CDR = Yes, Packet triggered = Yes,
79   Filter log = Yes, PPP log = Yes
80
816. At the prompt, press ENTER, ESC, ESC, 99 to exit
82
837. On the fwAnalog machine (the IP you put in for "Syslog IP Address"),
84   setup your syslog.conf to log the syslog facility (you put in for
85   "Log Facility") to a log file.  For example, if you used "Local 1" then
86   your syslog.conf file should contain something like the following:
87
88local1.*                        -/var/log/router.log
89
908. Restart the syslogd daemon, usually by sending a SIGHUP signal to it.
91
929. Modify the fwanalog.opts file to pick up this log file (or files if you
93setup log rotation on this log file).
94
9510. Enjoy!
96
97Setting up logging for fwanalog on a Cisco PIX firewall
98=======================================================
99
100By Ric Moseley <ric@theplanet.com>
101
102On the PIX firewall running version 6.22 I added the following commands
103to turn logging on.
104
105logging on
106logging timestamp
107logging console warnings
108logging buffered warnings
109logging trap warnings
110logging history warnings
111logging facility 20
112logging host [<interface_name>] <ip_address> [tcp|udp/port#]
113
114Add this to your syslog.conf on the logging host:
115local4.debug                    /var/log/firewall
116
117Setting up logging for fwanalog on a Watchguard Firebox System 6.1
118==================================================================
119
120By Ric Moseley <ric@theplanet.com>
121
122Open up the policy manager and go to 'setup->logging'.
123Choose the syslog tab and fill in the server IP and the facility.
124
125Set up the logging host like for Cisco.
126
127
128$Id: README.firewall,v 1.6 2004/03/18 16:34:45 bb Exp $
129