Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # $Id: fwlogwatch.config,v 1.53 2004/03/23 13:09:21 bw Exp $
- #
- # Sample fwlogwatch configuration file
- #
- # The values filled in or mentioned in the description are the default values,
- # you only need to uncomment an option if you change it's value.
- # Valid parameters to binary options are on/yes/true and off/no/false.
- # Whitespace and comments are ignored anywhere in the file, case does not
- # matter.
- ### Include files ###
- # The option 'include_file' can be used to include external configuration
- # files.
- #
- #include_file =
- ### Global options ###
- # Use 'verbose' if you want extra information and log messages.
- # Use it twice for even more info. fwlogwatch is quiet by default.
- # Command line option: -v[v]
- #
- #verbose = no
- #verbose = no
- # Use 'resolve_hosts' if you want IP addresses looked up in the DNS (output
- # will be slower).
- # 'resolve_services' enables lookup of port numbers in /etc/services.
- # Command line options: -n / -N
- #
- #resolve_hosts = no
- #resolve_services = no
- # Specify the input file(s) if you don't want to use the default. Use one line
- # for each file. Compressed files (gzip) are supported. You can use '-' for
- # standard input (stdin). In realtime response mode the daemon needs the
- # absolute path to the file.
- # Command line option: [file(s)]
- #
- #input = /var/log/messages
- input = /var/log/ulog/syslogemu.log
- ### Evaluation options ###
- # You can select which parsers you want to use if you don't want fwlogwatch
- # to check for all known log formats. You can choose one or a combination
- # of:
- #
- # i ipchains
- # n netfilter
- # f ipfilter
- # c Cisco IOS
- # p Cisco PIX
- # e NetScreen
- # w Windows XP
- # l Elsa Lancom
- # s Snort
- #
- # Command line option: -P <format>
- #
- #parser = infcp
- parser = n
- # The following six options define which criteria will be considered when
- # comparing logged packets. You can turn off the source or destination IP
- # address distinction ('src_ip'/'dst_ip') or activate the protocol, source
- # and destination port and TCP option distinction
- # ('protocol'/'src_port'/'dst_port'/'tcp_opts').
- # Command line options: -S / -D / -p / -s / -d / -y
- #
- #src_ip = on
- #dst_ip = on
- #protocol = off
- #src_port = off
- #dst_port = off
- #tcp_opts = off
- # The following eight options permit to select and/or exclude certain
- # hosts or ports. Rules can be added and combined, source and destination
- # hosts and ports are differentiated, specifying networks is possible in
- # CIDR format.
- # Command line option: -E <format>
- #
- #exclude_src_host =
- #exclude_src_port =
- #exclude_dst_host =
- #exclude_dst_port =
- #include_src_host =
- #include_src_port =
- #include_dst_host =
- #include_dst_port =
- # The following four options permit to include and/or exclude chain and
- # branch (target) strings such as "input", "forward", "output" and
- # "accept", "deny", "pass", "block", "p", etc. Use one string per line
- # without quotes. Including a string causes all others to be excluded.
- # Command line option: -E <format>
- #
- #exclude_chain =
- #include_chain =
- #exclude_branch =
- #include_branch =
- ### Sorting options ###
- # Since the sort algorithm used is stable you can sort several times,
- # entries that are equal for the primary criteria will be sorted by the
- # next criteria. The sort string can be composed of 11 fields of the form
- # 'ab' where 'a' is the sort criteria:
- #
- # c count
- # t start time
- # e end time
- # z duration
- # n target name
- # p protocol
- # b byte count
- # S source host
- # s source port
- # D destination host
- # d destination port
- #
- # and 'b' the order:
- #
- # a ascending
- # d descending
- #
- # Sorting is done in the given sequence, so the last option is the primary
- # criteria. If you don't use the 'sort_order' option the summary mode
- # default 'tacd' will be used (start with the highest count, if two counts
- # match list the one earlier in time first), of which 'ta' is built in, so
- # if you specify an empty sort string or everything else is equal entries
- # will be sorted ascending by time. In realtime response mode the default
- # is 'cd'.
- #
- # Command line option: -O <order>
- #
- #sort_order =
- ### Output options ###
- # With the option 'title' you can change the title of the summary and the
- # status page and the subject of summaries sent by email.
- # The default title in summary mode is 'fwlogwatch summary' and in realtime
- # response mode it is 'fwlogwatch status'.
- #
- #title =
- # With the option 'stylesheet' you can make fwlogwatch omit the inline CSS
- # used to define the page colors and reference an external stylesheet.
- # In summary mode the string you specify will be taken as it is and used in a
- # link tag, in realtime response mode this only happens if it is an external
- # URL and starts with "http", else a local file will be assumed and embedded
- # at the corresponding position.
- #
- #stylesheet =
- # With the following four options you can customize the colors of the HTML
- # output (summary and realtime response status page), use the RGB value
- # with '#' or directly one of the 16 basic HTML color names (aqua black
- # blue fuchsia gray green lime maroon navy olive purple red silver teal
- # white yellow).
- #
- #textcolor = white
- #bgcolor = black
- #rowcolor1 = #555555
- #rowcolor2 = #333333
- ### Log summary mode ###
- # Use 'data_amount' if you want so see the sum of total packet lengths for
- # each entry (this obviously only works with log formats that contain this
- # information).
- # Command line option: -b
- #
- #data_amount = no
- # Use 'start_times' and/or 'last times' if you want to see the timestamp
- # of the first and/or last logged packet of each entry.
- # Command line options: -t / -e
- #
- #start_times = no
- #end_times = no
- # Use 'duration' if you want to see the time interval between the first and
- # the last connection attempt of the current entry.
- # Command line option: -z
- #
- #duration = no
- # Use 'html' to enable HTML output.
- # Command line option: -w
- #
- #html = no
- # Specify the name of an output file
- # Command line option: -o <file>
- #
- #output =
- # Use 'recent' to ignore events older than a certain time (off by default).
- # The default unit is seconds.
- # Units: m = minutes, h = hours, d = days, w = weeks, M = months, y = years.
- # Command line option: -l <time>
- #
- #recent =
- # Use 'at_least' to hide entries that have a small number of counts (useful
- # when analyzing large log files).
- # Command line option: -m <count>
- #
- #at_least = 1
- # Use 'maximum' to limit the number of entries shown (e.g. for a "top 20"),
- # restricted by the 'at_least' option. Zero shows all entries.
- # Command line option: -M <number>
- #
- #maximum = 0
- # Use 'whois_lookup' if you want information about the source IP addresses
- # looked up in the whois database (this is slow, please don't stress the
- # registry with too many queries).
- # Command line option: -W
- #
- #whois_lookup = no
- ### Interactive report mode ###
- # Use 'interactive' to turn this mode on, a summary of entries that exceed
- # the threshold will be shown first, then you will be presented with each
- # report and options to modify and send it.
- # Command line option: -i <count>
- #
- #interactive =
- # Use 'sender' to specify your email address for abuse reports.
- # The default is <user>@<hostname>.
- # Command line option: -F <email>
- #
- #sender =
- # Use 'recipient' to specify the email address of the abuse contact or CERT
- # you want to send reports to. If used in log summary mode the summary will
- # be sent to this address by email (in plain text or HTML as selected with
- # the -w option and the content of the title option as subject).
- # Command line option: -T <email>
- #
- #recipient =
- # You can use 'cc' to send a carbon copy of the report (e.g. to you for
- # your archives or a second abuse or CERT contact).
- # Command line option: -C <email>
- #
- #cc =
- # Use 'template' to specify the template file you want to use to surround
- # the report if you don't want to use the default.
- # The line '# insert report here' in the template will be
- # replaced with the report.
- # Command line option: -I <file>
- #
- #template = /etc/fwlogwatch.template
- ### Realtime response mode ###
- # Use 'realtime_response' to turn this mode on. You can change the
- # configuration file while fwlogwatch is running and have it reread it
- # by sending the HUP signal.
- # Command line option: -R
- #
- #realtime_response = no
- # If 'ipchains_check' is activated (and the ipchains parser is selected),
- # fwlogwatch will verify that ipchains rules are set up correctly.
- #
- #ipchains_check = no
- # With the 'pidfile' option you can specify a file fwlogwatch will use to
- # keep it's PID so it can receive signals from scripts. If not specified it
- # will not be created.
- # Suggested value: /var/run/fwlogwatch.pid
- #
- pidfile = /var/run/fwlogwatch.pid
- # Use the 'run_as' option to make fwlogwatch capable of binding a
- # privileged port and opening a protected log file as root and then (as
- # daemon) change it's user and group ID to a non-privileged user (a security
- # feature). Please note that reopening a protected log file (e.g. after a
- # kill -USR1) will not be possible once privileges are released. Also
- # remember that you can use fwlogwatch without status web server or with an
- # unprivileged port and with enough permissions to read a log file to run it
- # entirely as user, but you will not be able to execute response scripts
- # that need root privileges (e.g. to modify a firewall).
- # Suggested value: nobody
- #
- #run_as =
- # The option 'stateful_start' is enabled by default and causes fwlogwatch
- # to read in the full log file at start and remember all entries that are
- # within the 'recent' parameter (and notify and/or react to them if
- # configured to do so). When disabled, fwlogwatch will jump to the end of
- # the log file and start with an empty packet cache.
- #
- #stateful_start = yes
- # Use 'alert_threshold' to define how many connections must happen (within
- # the 'forget' time range) to activate an alert/response.
- # Command line option: -a <count>
- #
- #alert_threshold = 5
- alert_threshold = 40
- # Use the option 'recent' as in log summary mode above to control how long
- # an event should be relevant. After the specified time it is forgotten and
- # if another connection attempt is started it is treated as new. The default
- # for 'recent' in realtime response mode is 1 day.
- # Command line option: -l
- #
- #recent =
- #recent = 1h
- # An alert is logged to syslog by default, you can add predefined and/or
- # custom notification and response functions using the fwlw_notify and
- # fwlw_respond scripts that are executed if 'notify' and 'respond'
- # respectively are specified here.
- # Command line options: -A / -B
- #
- #notify = no
- #respond = no
- # Alternative paths for the notification and response scripts can be
- # specified with the 'notification_script' and 'response_script' options.
- #
- #notification_script = /usr/local/sbin/fwlw_notify
- #response_script = /usr/local/sbin/fwlw_respond
- # Known hosts are those that will not be warned about or actions taken
- # against, even if they match the alert/response criteria.
- # Use 'known_host' for your trusted gateways, peers and DNS servers (this
- # is an anti-spoofing measure). You can specify single IP addresses or
- # networks in CIDR notation (e.g. 192.168.1.0/24).
- # Command line option: -k <IP/net>
- #
- #known_host =
- #known_host =
- # You can see which hosts fwlogwatch knows about and which ones it is
- # watching at any time through it's web interface. Use the 'server_status'
- # option to activate the web server in fwlogwatch, 'bind_to' is the IP
- # address of the interface to be bound (defaults to the local host, 0.0.0.0
- # means all), 'listen_port' is the port it will listen on. 'listen_to'
- # allows to restrict access to a single IP address. fwlogwatch will want to
- # authenticate the user, that's what 'status_user' and 'status_password'
- # are for. The password must be a standard Unix DES encrypted password
- # including salt, you can for example use
- # htpasswd -nb user password
- # to generate one. Finally, 'refresh' activates automatic reloading of the
- # status page, the parameter is the time in seconds.
- # Command line option: -X <port>
- #
- #server_status = no
- #bind_to = 127.0.0.1
- #listen_port = 888
- #listen_to =
- #status_user = admin
- #status_password = 2fi4nEVVz0IXo
- #refresh =
- server_status = yes
- bind_to = 172.20.1.254
- listen_port = 80
- status_user = teastep
- status_password = Vi4hB9jWehHKQ
- refresh = 30
- ### Show log times mode ###
- # Use this mode to display the number of lines and the time of the first and
- # last entry in a log file. Unlike the summary mode report this does not show
- # the time of the first and last packet log entry but the time of the first
- # and last entry overall. No other action is performed. Compressed files
- # (gzip) are supported. Use the command line and/or the input option to
- # specify the files to show.
- # Command line option: -L
- #
- #show_log_times
- ### EOF ###
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement