# $Id: fwlogwatch.config,v 1.53 2004/03/23 13:09:21 bw Exp $## Sample fwlogw

1. # $Id: fwlogwatch.config,v 1.53 2004/03/23 13:09:21 bw Exp $
2. #
3. # Sample fwlogwatch configuration file
4. #
5. # The values filled in or mentioned in the description are the default values,
6. # you only need to uncomment an option if you change it's value.
7. # Valid parameters to binary options are on/yes/true and off/no/false.
8. # Whitespace and comments are ignored anywhere in the file, case does not
9. # matter.
10.  
11.  
12. ### Include files ###
13. # The option 'include_file' can be used to include external configuration
14. # files.
15. #
16. #include_file =
17.  
18.  
19. ### Global options ###
20. # Use 'verbose' if you want extra information and log messages.
21. # Use it twice for even more info. fwlogwatch is quiet by default.
22. # Command line option: -v[v]
23. #
24. #verbose = no
25. #verbose = no
26.  
27. # Use 'resolve_hosts' if you want IP addresses looked up in the DNS (output
28. # will be slower).
29. # 'resolve_services' enables lookup of port numbers in /etc/services.
30. # Command line options: -n / -N
31. #
32. #resolve_hosts = no
33. #resolve_services = no
34.  
35. # Specify the input file(s) if you don't want to use the default. Use one line
36. # for each file. Compressed files (gzip) are supported. You can use '-' for
37. # standard input (stdin). In realtime response mode the daemon needs the
38. # absolute path to the file.
39. # Command line option: [file(s)]
40. #
41. #input = /var/log/messages
42. input = /var/log/ulog/syslogemu.log
43.  
44.  
45. ### Evaluation options ###
46. # You can select which parsers you want to use if you don't want fwlogwatch
47. # to check for all known log formats. You can choose one or a combination
48. # of:
49. #
50. # i ipchains
51. # n netfilter
52. # f ipfilter
53. # c Cisco IOS
54. # p Cisco PIX
55. # e NetScreen
56. # w Windows XP
57. # l Elsa Lancom
58. # s Snort
59. #
60. # Command line option: -P <format>
61. #
62. #parser = infcp
63.  
64. parser = n
65.  
66. # The following six options define which criteria will be considered when
67. # comparing logged packets. You can turn off the source or destination IP
68. # address distinction ('src_ip'/'dst_ip') or activate the protocol, source
69. # and destination port and TCP option distinction
70. # ('protocol'/'src_port'/'dst_port'/'tcp_opts').
71. # Command line options: -S / -D / -p / -s / -d / -y
72. #
73. #src_ip = on
74. #dst_ip = on
75. #protocol = off
76. #src_port = off
77. #dst_port = off
78. #tcp_opts = off
79.  
80. # The following eight options permit to select and/or exclude certain
81. # hosts or ports. Rules can be added and combined, source and destination
82. # hosts and ports are differentiated, specifying networks is possible in
83. # CIDR format.
84. # Command line option: -E <format>
85. #
86. #exclude_src_host =
87. #exclude_src_port =
88. #exclude_dst_host =
89. #exclude_dst_port =
90. #include_src_host =
91. #include_src_port =
92. #include_dst_host =
93. #include_dst_port =
94.  
95. # The following four options permit to include and/or exclude chain and
96. # branch (target) strings such as "input", "forward", "output" and
97. # "accept", "deny", "pass", "block", "p", etc. Use one string per line
98. # without quotes. Including a string causes all others to be excluded.
99. # Command line option: -E <format>
100. #
101. #exclude_chain =
102. #include_chain =
103. #exclude_branch =
104. #include_branch =
105.  
106.  
107. ### Sorting options ###
108. # Since the sort algorithm used is stable you can sort several times,
109. # entries that are equal for the primary criteria will be sorted by the
110. # next criteria. The sort string can be composed of 11 fields of the form
111. # 'ab' where 'a' is the sort criteria:
112. #
113. # c count
114. # t start time
115. # e end time
116. # z duration
117. # n target name
118. # p protocol
119. # b byte count
120. # S source host
121. # s source port
122. # D destination host
123. # d destination port
124. #
125. # and 'b' the order:
126. #
127. # a ascending
128. # d descending
129. #
130. # Sorting is done in the given sequence, so the last option is the primary
131. # criteria. If you don't use the 'sort_order' option the summary mode
132. # default 'tacd' will be used (start with the highest count, if two counts
133. # match list the one earlier in time first), of which 'ta' is built in, so
134. # if you specify an empty sort string or everything else is equal entries
135. # will be sorted ascending by time. In realtime response mode the default
136. # is 'cd'.
137. #
138. # Command line option: -O <order>
139. #
140. #sort_order =
141.  
142.  
143. ### Output options ###
144. # With the option 'title' you can change the title of the summary and the
145. # status page and the subject of summaries sent by email.
146. # The default title in summary mode is 'fwlogwatch summary' and in realtime
147. # response mode it is 'fwlogwatch status'.
148. #
149. #title =
150.  
151. # With the option 'stylesheet' you can make fwlogwatch omit the inline CSS
152. # used to define the page colors and reference an external stylesheet.
153. # In summary mode the string you specify will be taken as it is and used in a
154. # link tag, in realtime response mode this only happens if it is an external
155. # URL and starts with "http", else a local file will be assumed and embedded
156. # at the corresponding position.
157. #
158. #stylesheet =
159.  
160. # With the following four options you can customize the colors of the HTML
161. # output (summary and realtime response status page), use the RGB value
162. # with '#' or directly one of the 16 basic HTML color names (aqua black
163. # blue fuchsia gray green lime maroon navy olive purple red silver teal
164. # white yellow).
165. #
166. #textcolor = white
167. #bgcolor = black
168. #rowcolor1 = #555555
169. #rowcolor2 = #333333
170.  
171.  
172. ### Log summary mode ###
173. # Use 'data_amount' if you want so see the sum of total packet lengths for
174. # each entry (this obviously only works with log formats that contain this
175. # information).
176. # Command line option: -b
177. #
178. #data_amount = no
179.  
180. # Use 'start_times' and/or 'last times' if you want to see the timestamp
181. # of the first and/or last logged packet of each entry.
182. # Command line options: -t / -e
183. #
184. #start_times = no
185. #end_times = no
186.  
187. # Use 'duration' if you want to see the time interval between the first and
188. # the last connection attempt of the current entry.
189. # Command line option: -z
190. #
191. #duration = no
192.  
193. # Use 'html' to enable HTML output.
194. # Command line option: -w
195. #
196. #html = no
197.  
198. # Specify the name of an output file
199. # Command line option: -o <file>
200. #
201. #output =
202.  
203. # Use 'recent' to ignore events older than a certain time (off by default).
204. # The default unit is seconds.
205. # Units: m = minutes, h = hours, d = days, w = weeks, M = months, y = years.
206. # Command line option: -l <time>
207. #
208. #recent =
209.  
210. # Use 'at_least' to hide entries that have a small number of counts (useful
211. # when analyzing large log files).
212. # Command line option: -m <count>
213. #
214. #at_least = 1
215.  
216. # Use 'maximum' to limit the number of entries shown (e.g. for a "top 20"),
217. # restricted by the 'at_least' option. Zero shows all entries.
218. # Command line option: -M <number>
219. #
220. #maximum = 0
221.  
222. # Use 'whois_lookup' if you want information about the source IP addresses
223. # looked up in the whois database (this is slow, please don't stress the
224. # registry with too many queries).
225. # Command line option: -W
226. #
227. #whois_lookup = no
228.  
229.  
230. ### Interactive report mode ###
231. # Use 'interactive' to turn this mode on, a summary of entries that exceed
232. # the threshold will be shown first, then you will be presented with each
233. # report and options to modify and send it.
234. # Command line option: -i <count>
235. #
236. #interactive =
237.  
238. # Use 'sender' to specify your email address for abuse reports.
239. # The default is <user>@<hostname>.
240. # Command line option: -F <email>
241. #
242. #sender =
243.  
244. # Use 'recipient' to specify the email address of the abuse contact or CERT
245. # you want to send reports to. If used in log summary mode the summary will
246. # be sent to this address by email (in plain text or HTML as selected with
247. # the -w option and the content of the title option as subject).
248. # Command line option: -T <email>
249. #
250. #recipient =
251.  
252. # You can use 'cc' to send a carbon copy of the report (e.g. to you for
253. # your archives or a second abuse or CERT contact).
254. # Command line option: -C <email>
255. #
256. #cc =
257.  
258. # Use 'template' to specify the template file you want to use to surround
259. # the report if you don't want to use the default.
260. # The line '# insert report here' in the template will be
261. # replaced with the report.
262. # Command line option: -I <file>
263. #
264. #template = /etc/fwlogwatch.template
265.  
266.  
267. ### Realtime response mode ###
268. # Use 'realtime_response' to turn this mode on. You can change the
269. # configuration file while fwlogwatch is running and have it reread it
270. # by sending the HUP signal.
271. # Command line option: -R
272. #
273. #realtime_response = no
274.  
275. # If 'ipchains_check' is activated (and the ipchains parser is selected),
276. # fwlogwatch will verify that ipchains rules are set up correctly.
277. #
278. #ipchains_check = no
279.  
280. # With the 'pidfile' option you can specify a file fwlogwatch will use to
281. # keep it's PID so it can receive signals from scripts. If not specified it
282. # will not be created.
283. # Suggested value: /var/run/fwlogwatch.pid
284. #
285. pidfile = /var/run/fwlogwatch.pid
286.  
287. # Use the 'run_as' option to make fwlogwatch capable of binding a
288. # privileged port and opening a protected log file as root and then (as
289. # daemon) change it's user and group ID to a non-privileged user (a security
290. # feature). Please note that reopening a protected log file (e.g. after a
291. # kill -USR1) will not be possible once privileges are released. Also
292. # remember that you can use fwlogwatch without status web server or with an
293. # unprivileged port and with enough permissions to read a log file to run it
294. # entirely as user, but you will not be able to execute response scripts
295. # that need root privileges (e.g. to modify a firewall).
296. # Suggested value: nobody
297. #
298. #run_as =
299.  
300. # The option 'stateful_start' is enabled by default and causes fwlogwatch
301. # to read in the full log file at start and remember all entries that are
302. # within the 'recent' parameter (and notify and/or react to them if
303. # configured to do so). When disabled, fwlogwatch will jump to the end of
304. # the log file and start with an empty packet cache.
305. #
306. #stateful_start = yes
307.  
308. # Use 'alert_threshold' to define how many connections must happen (within
309. # the 'forget' time range) to activate an alert/response.
310. # Command line option: -a <count>
311. #
312. #alert_threshold = 5
313. alert_threshold = 40
314.  
315. # Use the option 'recent' as in log summary mode above to control how long
316. # an event should be relevant. After the specified time it is forgotten and
317. # if another connection attempt is started it is treated as new. The default
318. # for 'recent' in realtime response mode is 1 day.
319. # Command line option: -l
320. #
321. #recent =
322.  
323. #recent = 1h
324.  
325. # An alert is logged to syslog by default, you can add predefined and/or
326. # custom notification and response functions using the fwlw_notify and
327. # fwlw_respond scripts that are executed if 'notify' and 'respond'
328. # respectively are specified here.
329. # Command line options: -A / -B
330. #
331. #notify = no
332. #respond = no
333.  
334. # Alternative paths for the notification and response scripts can be
335. # specified with the 'notification_script' and 'response_script' options.
336. #
337. #notification_script = /usr/local/sbin/fwlw_notify
338. #response_script = /usr/local/sbin/fwlw_respond
339.  
340. # Known hosts are those that will not be warned about or actions taken
341. # against, even if they match the alert/response criteria.
342. # Use 'known_host' for your trusted gateways, peers and DNS servers (this
343. # is an anti-spoofing measure). You can specify single IP addresses or
344. # networks in CIDR notation (e.g. 192.168.1.0/24).
345. # Command line option: -k <IP/net>
346. #
347. #known_host =
348. #known_host =
349.  
350. # You can see which hosts fwlogwatch knows about and which ones it is
351. # watching at any time through it's web interface. Use the 'server_status'
352. # option to activate the web server in fwlogwatch, 'bind_to' is the IP
353. # address of the interface to be bound (defaults to the local host, 0.0.0.0
354. # means all), 'listen_port' is the port it will listen on. 'listen_to'
355. # allows to restrict access to a single IP address. fwlogwatch will want to
356. # authenticate the user, that's what 'status_user' and 'status_password'
357. # are for. The password must be a standard Unix DES encrypted password
358. # including salt, you can for example use
359. # htpasswd -nb user password
360. # to generate one. Finally, 'refresh' activates automatic reloading of the
361. # status page, the parameter is the time in seconds.
362. # Command line option: -X <port>
363. #
364. #server_status = no
365. #bind_to = 127.0.0.1
366. #listen_port = 888
367. #listen_to =
368. #status_user = admin
369. #status_password = 2fi4nEVVz0IXo
370. #refresh =
371.  
372. server_status = yes
373. bind_to = 172.20.1.254
374. listen_port = 80
375. status_user = teastep
376. status_password = Vi4hB9jWehHKQ
377. refresh = 30
378.  
379. ### Show log times mode ###
380. # Use this mode to display the number of lines and the time of the first and
381. # last entry in a log file. Unlike the summary mode report this does not show
382. # the time of the first and last packet log entry but the time of the first
383. # and last entry overall. No other action is performed. Compressed files
384. # (gzip) are supported. Use the command line and/or the input option to
385. # specify the files to show.
386. # Command line option: -L
387. #
388. #show_log_times
389.  
390.  
391. ### EOF ###