Debian: Building fwlogwatch from the sources

In the search for a clear log display for iptables I found fwlogwatch. As later turned out, unfortunately not suitable for the error search in logfiles. The focus of this product lies in the statistics and active intervention in attacks.

Installation

Load the source files from the homepage and extract the file with tar.

http://fwlogwatch.inside-security.de/

flex and zlib are required to build fwlogwatch. So we install these two first:

root@debian-iptables1 ~/fwlogwatch/fwlogwatch-1.5 # apt-get install flex
root@debian-iptables1 ~/fwlogwatch/fwlogwatch-1.5 # apt-get install libz-dev

make should run without any errors.

root@debian-iptables1 ~/fwlogwatch/fwlogwatch-1.5 # make

Don’t run “make install”. A directory is missing:

mkdir /usr/local/share/man/man8

After that:

root@debian-iptables1 ~/fwlogwatch/fwlogwatch-1.5 # make install
install -m 0755 fwlogwatch /usr/local/sbin/fwlogwatch
install -m 0755 contrib/fwlw_notify /usr/local/sbin/fwlw_notify
install -m 0755 contrib/fwlw_respond /usr/local/sbin/fwlw_respond
install -m 0644 fwlogwatch.8 /usr/local/share/man/man8/fwlogwatch.8

A first quick test

root@debian-iptables1 ~/fwlogwatch/fwlogwatch-1.5 # fwlogwatch -v -v -w -o log.html -l 1d -m 2 -t -e -z -n -N -p -s -d -y /var/log/messages

If everything has worked we now find in the current directory the file log.html and can look at this in the browser.

Since this procedure is very impractical for the daily work we use a web server and the files in the directory contrib.

The more comfortable version

Using apache and a cgi-script:

apt-get install apache2 
a2enmod cgi service 
mkdir /var/www/cgi-bin
mkdir /var/www/html/fwlogwatch
cp contrib/fwlogsummary.cgi /var/www/cgi-bin/

Edit /etc/apache2/conf-enabled/serve-cgi-bin.conf:

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

<Directory "/var/www/cgi-bin/">
 Options +ExecCGI
 AddHandler cgi-script .cgi
 Order allow,deny
 Allow from all

Restart apache

apache2 restart

Apache runs with the user ww-data. Ensure that the user www-data is allowed to read the /var/log/messages file! Otherwise only the index file is created.

Open the following url once, so that the index.html is created

http://192.168.1.112/cgi-bin/fwlogsummary.cgi

Then only the index has to be used, since from this the cgi-script can be called.

http://192.168.1.112/fwlogwatch/index.html

fwlogwatch

Example: source and destination IP addresses

fwlogwatch-2

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s