Automated Flag Generator

For fwlogsum version: 5.0.0

Report Type:
Report Output:
Report Mode:
Sort Mode:
Report on:
Display Attack information in Report
Include Source Port in Report
Resolve IP Addresses (before filtering)
Post Resolve IP Addresses (after filtering)
Cache DNS entries
Convert Port Numbers to Names
Convert Port Names to Numbers
Include Domain Summary in Report
Display Time Summary as 24 hour clock
Report both normal address/port and translated address/port
Report just the translated address/port
Verbose Output
Delimiter character for logexport
Report Header Title
Output file for report
Mail output to specified user
Matched Highlights
Exclude specified services from report
Exclude specified source services from report
Exclude specified FW interfaces from report
Ignore specified entries
Restrict entries with count less than
Maximum number of entries to appear in the summaries
Include only specified entries
Run report against specified logexport log file
Run report against specified FW1 log file
Create trend databases in specified directory
Display command with Short flags Long flags

Form Help

Report Type

There are four different types of reports:
  1. Dropped and Rejected Entries.
  2. Attack Entries.
  3. Accepted Entries.
  4. Dropped Entries.
  5. Rejected Entries.

Output Format

There are three different types of output formats:
  1. HTML
  2. 80 Columns - ASCII
  3. 132 Columns - ASCII

Report Mode

There are two different types of report modes:
  1. Details and Summary - Details of all packets are reported
  2. Summary Only - Only the summaries are reported

Sort Types

There are six different types of sorting:
  1. Count - Sort by number of occurances.
  2. Attack Type.
  3. Source Address - Only useful if source address is selected.
  4. Destination Address.
  5. Service - Service name.
  6. Firewall Host - Firewall-1 host the logging orginated from.
  7. Rule Number - Useful in accept reports for seeing which rules are triggered the most.

Report On

There are three different way to report on:
  1. All packets - Report on all packets for the report type.
  2. Inbound Traffic - Report on inbound traffic only.
  3. Outbound Traffic - Report on outbound traffic only.

Resolve IP Addresses

If you have a slow naming service, you can let fwlogsum resolve IP addresses for you. As it only needs to resolve entries that appear in the report, it should be substantially quicker.

Post Resolve IP Addresses

This option is similar to the above option, except that the resolution of IP addresses is done after filtering has been performed. This can signficantly speed up report generation as only the reported entries need to be resolved. The down side is that any filtering will need to be done using IP addresses.

Cache DNS Entries

This option caches DNS entries to a DBM file. It can significantly speed up report generation if you are resolving IP addresses.

Convert Port Numbers to Name

This option will attempt to convert any port numbers to their corresponding service description.

Convert Port Names to Number

This option will attempt to convert any port descriptions to their corresponding port number.

Include Domain Summaries in Report

You can define local and common domains to be displayed in a Domain summary.

Display Time Summary as 24 hour clock

By default the summary will show the top time periods in descending order of greatest use. Selecting this option will display the 24 time period in time order.

Version Output

This option is will display informational messages about the processing of the log. The output is displayed on stderr.

Address/Port Translation

If you have translated addresses and/or ports, using these options will either show just the translated address/port or both the untranslated and translated address/port, for example:

Delimiter character for logexport

By default, fw logexport uses the ; character as the field delimiter. You can set the delimiter to something else if you generate logexport logs with a different delimiter.

Source Port

By default, fwlogsum does not include the source port in the report as this is generally not useful, as most of these will be random high ports, eg: the remote site connecting to your web server on port 80 will have a random source port.
However, it can be useful for checking things such as ftp and domain requests.

Report Header

This option overides the default report header title.

Output File for Report

Name of the output file for the report. If this is left off, the report goes to STDOUT.

Mail Output

Mail the contents of the report to the specified address/es.

Matched Highlight

This option can be used to highlight particular entries of interest in the HTML report. For example, you may want to take particular notice to any telnet attempts.

Exclude Specified Services

Some services are not always useful to report on, especially when reporting on accepted packets. Things like http, smtp, icmp etc. Excluding these services can drastically reduce the size of the report.
If you are running a dropped report, then excluding auth packets will save a lot of space.

Exclude Specified Source Services

This option is the same as above, but useful when you have selected to include source services in the report.

Exclude Specified FW Interfaces

This option allows you to exclude an FW interface from the report. The interface name is the same as it is known by FW1, eg: hme0, qfe0, etc.

Ignore Specified Entries

This allows you to ignore entries based on a perl regular expression. For example you may wish to ignore all entries from and using the expression:|

Restrict Entries less than specified Count

This option allows you to reduce the size of you report by only reporting the detail of entries greater than the specified count. There will be many entries that occur less then 10 times. By restricting these, your report will be of a more managable size. The report summaries will not be effected.

Maximum Number of entries to appear in the summaries

This option allows you to set how many entries you want to see in the summary reports.

Include Specified Entries

Works the same as ignore entries but allows you to specify specific entries to include.

Run Report Against Specified ASCII Log File

This option is useful if you want to run multiple views of the same data, by first generating the log file with the fw logexport >logfile command and then generating various reports with fwlogsum.

Run Report Against Specified FW1 Log File

This option allows you to run the report against another fw1 log file. Compressed or uncompressed.

Create trend databases in specified directory

This option will write a dbm file in the specified directory for every summary type.