[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sidewinder
Subject:    [Sidewinder] Logging and reporting
From:       sidewinder () adeptech ! com
Date:       2005-06-21 16:16:02
Message-ID: CE951ED6042FD747B8DFB38315B26C3009131E8B () mad00mp6 ! dot ! state ! wi ! us
[Download RAW message or body]

We have some of our own scripts we wrote that gather up information from one
or more of the audit logs, and then report them into a separate set of
tables, but using the regular sidewinder tools.  Here is an example that
might give you some ideas.  While this one does not itself do multiple day
reports, it will hopefully give you some hints as to how you might approach
that.

Note:  Since I "sanitized" this, its always possible that I made a small
mistake, but this started out from something we have actually run.

JRJ

#
#       Set the time to check for records
#
set starttime=20050414123000
#
#       Set the name to use for the database -- change if you don't
#       want to wipe out an existing database
#
set mydb=myspecialdb
#
#       Delete existing database
#
cf audit delete db name=$mydb
#
#       Snag log records of the appropriate type.
#
acat -e "type AUDIT_T_NETPROBE and src_ip ###.###.###.###/24 and dst_port
ppp and stime $starttime" </var/log/audit.raw >/var/log/specialaudit.log
#
#	(note:  you could just go thru more logs at this point, and add it
into the resulting log)
#
#       Use the log records to generate a report
#
/usr/libexec/auditdbd  -f /var/log/specialaudit.log -d $mydb
#
#       Next run a report.  Run the output of the report thru "awk"
#       to extract the first field (source address), keep just the
#       address lines, then sort them and keep just the unique ones
#
#	(note:  In this case, we just wanted a unique list of related IP
addresses
#	for the reporting period)
#
/usr/sbin/gen_reports -r probes_attempted -d $mydb |& awk '{ print $1 }' |
grep
###.### | sort | uniq > special.out

> Message: 1
> Date: Fri, 17 Jun 2005 12:35:52 -0600
> From: sidewinder@adeptech.com
> Subject: [Sidewinder] Logging and reporting
> To: <sidewinder@adeptech.com>
> Message-ID:
> 	<E468920210382E4AB13D074194D3B8241429FB@exbe01-den.cobizinc.net>
> Content-Type: text/plain;charset="us-ascii"
> 
> Anyone had any luck finding a way to export logs into mysql or another
> DB for reporting purposes?  I am finding the reporting capabilities very
> limited in regards to more that 1 day's worth of information.
>
> Looks like Sawmill does some stuff, but I don't want to pay for it :)
>
> Thx-
>
> Casey DeBerry
> Information Security
> CoBiz Inc.
> www.cobizinc.com
> cdeberry@cobizinc.com
> Office 303.312.3405
> Cell   303.669.8547
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic