There are three different types of output formats:
There are two different types of report modes:
There are six different types of sorting:
There are three different way to report on:
Resolve IP Addresses
If you have a slow naming service, you can let fwlogsum resolve IP
addresses for you. As it only needs to resolve entries that appear in the
report, it should be substantially quicker.
Post Resolve IP Addresses
This option is similar to the above option, except that the resolution
of IP addresses is done after filtering has been performed. This can
signficantly speed up report generation as only the reported entries
need to be resolved. The down side is that any filtering will need
to be done using IP addresses.
Cache DNS Entries
This option caches DNS entries to a DBM file. It can significantly
speed up report generation if you are resolving IP addresses.
Convert Port Numbers to Name
This option will attempt to convert any port numbers to their corresponding
Convert Port Names to Number
This option will attempt to convert any port descriptions to their corresponding
Include Domain Summaries in Report
You can define local and common domains to be displayed in a Domain summary.
Display Time Summary as 24 hour clock
By default the summary will show the top time periods in descending order of
greatest use. Selecting this option will display the 24 time period in
This option is will display informational messages about the processing of
the log. The output is displayed on stderr.
If you have translated addresses and/or ports, using these options will either show just the translated address/port or both the untranslated and translated address/port, for example:
Delimiter character for logexport
By default, fw logexport uses the ; character as the field
delimiter. You can set the delimiter to something else if you generate
logexport logs with a different delimiter.
fwlogsum does not include the source port in the
report as this is generally not useful, as most of these will be random high
ports, eg: the remote site connecting to your web server on port 80 will have a
random source port.
However, it can be useful for checking things such as ftp and domain requests.
This option overides the default report header title.
Output File for Report
Name of the output file for the report. If this is left off, the report goes to STDOUT.
Mail the contents of the report to the specified address/es.
This option can be used to highlight particular entries of interest in the HTML
report. For example, you may want to take particular notice to any telnet attempts.
Exclude Specified Services
Some services are not always useful to report on, especially when reporting
on accepted packets. Things like http, smtp, icmp etc. Excluding these
services can drastically reduce the size of the report.
If you are running a dropped report, then excluding auth packets will save a lot of space.
Exclude Specified Source Services
This option is the same as above, but useful when you have selected to include
source services in the report.
Exclude Specified FW Interfaces
This option allows you to exclude an FW interface from the report. The interface name is
the same as it is known by FW1, eg: hme0, qfe0, etc.
Ignore Specified Entries
This allows you to ignore entries based on a perl regular expression. For
example you may wish to ignore all entries from microsoft.com and netscape.com
using the expression:
Restrict Entries less than specified Count
This option allows you to reduce the size of you report by only reporting the
detail of entries greater than the specified count. There will be many entries
that occur less then 10 times. By restricting these, your report will be of a
more managable size. The report summaries will not be effected.
Maximum Number of entries to appear in the summaries
This option allows you to set how many entries you want to see in the summary reports.
Include Specified Entries
Works the same as ignore entries but allows you to specify specific entries to
Run Report Against Specified ASCII Log File
This option is useful if you want to run multiple views of the same data, by
first generating the log file with the
fw logexport >logfile command
and then generating various reports with fwlogsum.
Run Report Against Specified FW1 Log File
This option allows you to run the report against another fw1 log file. Compressed or uncompressed.
Create trend databases in specified directory
This option will write a dbm file in the specified directory for every summary type.