File: fwlogwatch.config

package info (click to toggle)
fwlogwatch 1.4-2
  • links: PTS
  • area: main
  • in suites: bullseye, sid
  • size: 996 kB
  • sloc: ansic: 5,288; lex: 1,747; php: 706; sh: 437; makefile: 160
file content (370 lines) | stat: -rw-r--r-- 12,310 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
# $Id: fwlogwatch.config 715 2010-10-22 14:21:15Z bw $
#
# Sample fwlogwatch configuration file
#
# The values filled in or mentioned in the description are the default values,
# you only need to uncomment an option if you change it's value.
# Valid parameters to binary options are on/yes/true and off/no/false.
# Whitespace and comments are ignored anywhere in the file, case does not
# matter.


### Include files ###
# The option 'include_file' can be used to include external configuration
# files.
#
#include_file =


### Global options ###
# Use 'verbose' if you want extra information and log messages.
# Use it twice for even more info. fwlogwatch is quiet by default.
# Command line option: -v[v]
#
#verbose = no
#verbose = no

# Use 'resolve_hosts' if you want IP addresses looked up in the DNS (output
# will be slower).
# 'resolve_services' enables lookup of port numbers in /etc/services.
# Command line options: -n / -N
#
#resolve_hosts = no
#resolve_services = no

# If your logs contain private IP addresses that are not resolvable through
# DNS but you want reports with meaningful host names you can inject your
# own list of IP/name pairs (in the same format as /etc/hosts) into the DNS
# cache with the 'dns_cache' option. fwlogwatch will not modify this file.
# Command line option: -i <file>
#
#dns_cache = /home/user/my_hosts.txt

# Specify the input file(s) if you don't want to use the default. Use one line
# for each file. Compressed files (gzip) are supported. You can use '-' for
# standard input (stdin).  In realtime response mode the daemon needs the
# absolute path to the file.
# Command line option: [file(s)]
#
#input = /var/log/messages


### Evaluation options ###
# You can select which parsers you want to use if you don't want fwlogwatch
# to check for all known log formats. You can choose one or a combination
# of:
#
# i ipchains
# n netfilter
# f ipfilter
# c Cisco IOS
# p Cisco PIX/ASA
# e NetScreen
# l Elsa Lancom
# s Snort
#
# Command line option: -P <format>
#
#parser = infcp

# The following six options define which criteria will be considered when
# comparing logged packets. You can turn off the source or destination IP
# address distinction ('src_ip'/'dst_ip') or activate the protocol, source
# and destination port and TCP option distinction
# ('protocol'/'src_port'/'dst_port'/'tcp_opts').
# Command line options: -S / -D / -p / -s / -d / -y
#
#src_ip = on
#dst_ip = on
#protocol = off
#src_port = off
#dst_port = off
#tcp_opts = off

# The following eight options permit to select and/or exclude certain
# hosts or ports. Rules can be added and combined, source and destination
# hosts and ports are differentiated, specifying networks is possible in
# CIDR format.
# Command line option: -E <format>
#
#exclude_src_host =
#exclude_src_port =
#exclude_dst_host =
#exclude_dst_port =
#include_src_host =
#include_src_port =
#include_dst_host =
#include_dst_port =

# The following four options permit to include and/or exclude chain and
# branch (target) strings such as "input", "forward", "output" and
# "accept", "deny", "pass", "block", "p", etc. Use one string per line
# without quotes. Including a string causes all others to be excluded.
# Command line option: -E <format>
#
#exclude_chain =
#include_chain =
#exclude_branch =
#include_branch =


### Sorting options ###
# Since the sort algorithm used is stable you can sort several times,
# entries that are equal for the primary criteria will be sorted by the
# next criteria. The sort string can be composed of 11 fields of the form
# 'ab' where 'a' is the sort criteria:
#
# c count
# t start time
# e end time
# z duration
# n target name
# p protocol
# b byte count
# S source host
# s source port
# D destination host
# d destination port
#
# and 'b' the order:
#
# a ascending
# d descending
#
# Sorting is done in the given sequence, so the last option is the primary
# criteria. If you don't use the 'sort_order' option the summary mode
# default 'tacd' will be used (start with the highest count, if two counts
# match list the one earlier in time first), of which 'ta' is built in, so
# if you specify an empty sort string or everything else is equal entries
# will be sorted ascending by time. In realtime response mode the default
# is 'cd'.
#
# Command line option: -O <order>
#
#sort_order =


### Output options ###
# With the option 'title' you can change the title of the summary and the
# status page and the subject of summaries sent by email.
# The default title in summary mode is 'fwlogwatch summary' and in realtime
# response mode it is 'fwlogwatch status'.
#
#title =

# With the option 'stylesheet' you can make fwlogwatch omit the inline CSS
# used to define the page colors and reference an external stylesheet.
# In summary mode the string you specify will be taken as it is and used in a
# link tag, in realtime response mode this only happens if it is an external
# URL and starts with "http", else a local file will be assumed and embedded
# at the corresponding position.
#
#stylesheet =

# With the following four options you can customize the colors of the HTML
# output (summary and realtime response status page), use the RGB value
# with '#' or directly one of the 16 basic HTML color names (aqua black
# blue fuchsia gray green lime maroon navy olive purple red silver teal
# white yellow).
#
#textcolor = white
#bgcolor = black
#rowcolor1 = #555555
#rowcolor2 = #333333


### Log summary mode ###
# Use 'data_amount' if you want so see the sum of total packet lengths for
# each entry (this obviously only works with log formats that contain this
# information).
# Command line option: -b
#
#data_amount = no

# Use 'start_times' and/or 'last times' if you want to see the timestamp
# of the first and/or last logged packet of each entry.
# Command line options: -t / -e
#
#start_times = no
#end_times = no

# Use 'duration' if you want to see the time interval between the first and
# the last connection attempt of the current entry.
# Command line option: -z
#
#duration = no

# Use 'html' to enable HTML output.
# Command line option: -w
#
#html = no

# Specify the name of an output file
# Command line option: -o <file>
#
#output =

# Use 'recent' to ignore events older than a certain time (off by default).
# The default unit is seconds.
# Units: m = minutes, h = hours, d = days, w = weeks, M = months, y = years.
# Command line option: -l <time>
#
#recent =

# Use 'at_least' to hide entries that have a small number of counts (useful
# when analyzing large log files).
# Command line option: -m <count>
#
#at_least = 1

# Use 'maximum' to limit the number of entries shown (e.g. for a "top 20"),
# restricted by the 'at_least' option. Zero shows all entries.
# Command line option: -M <number>
#
#maximum = 0

# Use 'whois_lookup' if you want information about the source IP addresses
# looked up in the whois database (this is slow, please don't stress the
# registry with too many queries).
# Command line option: -W
#
#whois_lookup = no

# Use 'sender' to specify your email address for abuse reports.
# The default is <user>@<hostname>.
# Command line option: -F <email>
#
#sender =

# Use 'recipient' to specify the email address of the abuse contact or CERT
# you want to send reports to. If used in log summary mode the summary will
# be sent to this address by email (in plain text or HTML as selected with
# the -w option and the content of the title option as subject).
# Command line option: -T <email>
#
#recipient =

# You can use 'cc' to send a carbon copy of the report (e.g. to you for
# your archives or a second abuse or CERT contact).
# Command line option: -C <email>
#
#cc =


### Realtime response mode ###
# Use 'realtime_response' to turn this mode on. You can change the
# configuration file while fwlogwatch is running and have it reread it
# by sending the HUP signal.
# Command line option: -R
#
#realtime_response = no

# If 'ipchains_check' is activated (and the ipchains parser is selected),
# fwlogwatch will verify that ipchains rules are set up correctly.
#
#ipchains_check = no

# With the 'pidfile' option you can specify a file fwlogwatch will use to
# keep it's PID so it can receive signals from scripts. If not specified it
# will not be created.
# Suggested value: /run/fwlogwatch.pid
# (required for systemd)
#
pidfile = /run/fwlogwatch.pid

# Use the 'run_as' option to make fwlogwatch capable of binding a
# privileged port and opening a protected log file as root and then (as
# daemon) change it's user and group ID to a non-privileged user (a security
# feature). Please note that reopening a protected log file (e.g. after a
# kill -USR1) will not be possible once privileges are released. Also
# remember that you can use fwlogwatch without status web server or with an
# unprivileged port and with enough permissions to read a log file to run it
# entirely as user, but you will not be able to execute response scripts
# that need root privileges (e.g. to modify a firewall).
# Suggested value: nobody
#
#run_as =

# The option 'stateful_start' is enabled by default and causes fwlogwatch
# to read in the full log file at start and remember all entries that are
# within the 'recent' parameter (and notify and/or react to them if
# configured to do so). When disabled, fwlogwatch will jump to the end of
# the log file and start with an empty packet cache.
#
#stateful_start = yes

# Use 'alert_threshold' to define how many connections must happen (within
# the 'forget' time range) to activate an alert/response.
# Command line option: -a <count>
#
#alert_threshold = 5

# Use the option 'recent' as in log summary mode above to control how long
# an event should be relevant. After the specified time it is forgotten and
# if another connection attempt is started it is treated as new. The default
# for 'recent' in realtime response mode is 1 day.
# Command line option: -l
#
#recent =

# An alert is logged to syslog by default, you can add predefined and/or
# custom notification and response functions using the fwlw_notify and
# fwlw_respond scripts that are executed if 'notify' and 'respond'
# respectively are specified here.
# Command line options: -A / -B
#
#notify = no
#respond = no

# Alternative paths for the notification and response scripts can be
# specified with the 'notification_script' and 'response_script' options.
#
#notification_script = /usr/local/sbin/fwlw_notify
#response_script = /usr/local/sbin/fwlw_respond

# Known hosts are those that will not be warned about or actions taken
# against, even if they match the alert/response criteria.
# Use 'known_host' for your trusted gateways, peers and DNS servers (this
# is an anti-spoofing measure). You can specify single IP addresses or
# networks in CIDR notation (e.g. 192.168.1.0/24).
# Command line option: -k <IP/net>
#
#known_host =
#known_host =

# You can see which hosts fwlogwatch knows about and which ones it is
# watching at any time through it's web interface. Use the 'server_status'
# option to activate the web server in fwlogwatch, 'bind_to' is the IP
# address of the interface to be bound (defaults to the local host, 0.0.0.0
# means all), 'listen_port' is the port it will listen on. 'listen_to'
# allows to restrict access to a single IP address. fwlogwatch will want to
# authenticate the user, that's what 'status_user' and 'status_password'
# are for. The password must be a standard Unix DES encrypted password
# including salt, you can for example use
# htpasswd -nb user password
# to generate one. Finally, 'refresh' activates automatic reloading of the
# status page, the parameter is the time in seconds.
# Command line option: -X <port>
#
#server_status = no
#bind_to = 127.0.0.1
#listen_port = 888
#listen_to =
#status_user = admin
#status_password = 2fi4nEVVz0IXo
#refresh =


### Show log times mode ###
# Use this mode to display the number of lines and the time of the first and
# last entry in a log file. Unlike the summary mode report this does not show
# the time of the first and last packet log entry but the time of the first
# and last entry overall. No other action is performed. Compressed files
# (gzip) are supported. Use the command line and/or the input option  to
# specify the files to show.
# Command line option: -L
#
#show_log_times


### EOF ###