From fwall-users-request Fri Dec 9 13:49:31 1994 Received: by tis.com (4.1/SUN-5.64) id AA16086; Fri, 9 Dec 94 13:32:10 EST Received: from relay.tis.com by tis.com (4.1/SUN-5.64) id AA16082; Fri, 9 Dec 94 13:32:09 EST Received: from cs.sandia.gov(132.175.13.2) by relay via smap (V1.3) id sma006322; Fri Dec 9 13:33:59 1994 Received: from work.cs.sandia.gov.noname by cs.sandia.gov with smtp (Smail3.1.28.1 #5) id m0rGA8W-000XQIC; Fri, 9 Dec 94 11:33 MST Received: by work.cs.sandia.gov.noname (4.1/SMI-4.1) id AA12519; Fri, 9 Dec 94 11:33:32 MST Date: Fri, 9 Dec 94 11:33:32 MST From: mccurley@cs.sandia.gov (Kevin S. McCurley) Message-Id: <9412091833.AA12519@work.cs.sandia.gov.noname> To: fwtk-users@tis.com Subject: X-windows GUI interface to fwtk logs Status: RO I have written a tcl-based X windows tool for monitoring syslog messages produced by the TIS firewall toolkit. It is completely unpolished, but other users may be interested in it. It is available from ftp.cs.sandia.gov (132.175.18.3) via anonymous ftp in the file pub/source/fwtk_watch.tar. Kevin McCurley Sandia National Laboratories ------------- the README file follows ---------------------- The TIS firewalls toolkit can generate quite a few different log events, most of which are quite routine, but some of which are more serious: * signs of an attack in progress * a user's failed login attempts when they forget how * a configuration error fwtk_watch is a tcl script tool to actively monitor such events. It provides three capabilities: * a GUI to monitor a logfile as it is being generated, displaying more serious events in a more noticeable color. * a GUI to inspect a static logfile, looking for certain patterns. * a GUI interface to the reporting tools provided with the TIS toolkit (e.g., netacl-summ.sh). This code was inspired by seeing a demonstration of NERD, the Network Event Recording Device, written by David Simmons and Ronald Wilkins at Los Alamos. I was also partly interested in how hard it was to write graphical interface code in tcl/tk for X windows displays. I have made no attempt to present the code in a polished fashion, or to make it easy to configure. The entire script is only a little over 500 lines, so most people should be able to read and understand the entire code to make appropriate modifications for their site. The use of fwtk_watch will require several things to be installed on your system: tcl (I used version 7.3) tk (I used version 3.6) the addinput-3.6b modifications to tk, which require recompiling tk. Each of these are available under the URL ftp://ftp.aud.alcatel.com/tcl. The code for fwtk_watch is based on code for Searchbox, and includes the copyright for searchbox. The shar file containing fwtk_watch has several files included: fwtk_watch: the wish script for the application taputils.tcl: some utilities distributed with searchbox searchbox.tcl: the searchbox code fileselect.tcl: code to do a file selection dialog box In order to access the reporting scripts of the TIS toolkit (from tools/admin/reporting) you will need to modify them to accept arguments on the command line. This is easy: for example, in ftp-summ.sh, simply insert a line like LOGS=$* and then later change the line grep 'ftp-gw.*:' | awk ' to say grep 'ftp-gw.*:' $LOGS | awk ' Known deficiencies: * it needs to be made more configurable. The things that I flag as significant may not matter to others, and I may have missed things. * tcl is dog slow to manipulate large files (ours typically get to be up to three megabytes) * the filtering needs to apply to monitoring as well as static file inspection. * it depends on too many things being available (tcl, tk, fileselect, etc) This code is offered without warranty or support of any kind. I have found it useful, and I provide it to others mostly as a starting point to develop their own tools. I welcome suggestions or criticisms. Kevin McCurley Sandia National Laboratories (mccurley@cs.sandia.gov)