Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

cisco_ios2dlf(1) [debian man page]

CISCO_IOS2DLF.IN(1)					  LogReport's Lire Documentation				       CISCO_IOS2DLF.IN(1)

NAME

       cisco_ios2dlf - convert cisco logs to dlf format

SYNOPSIS

       cisco_ios2dlf

DESCRIPTION

       This script expects syslog-type logs from a CISCO IOS router on stdin.  These look like e.g.

	Jul  3 00:00:39 router 40108: 4d09h: %SEC-6-IPACCESSLOGP:
	 list FR_VA_in permitted udp 192.168.19.1(137) (Serial0/0.2 DLCI 120)
	 -> 192.168.19.255(137), 2 packets
	Jul  3 00:02:39 router 40109: 4d09h: %SEC-6-IPACCESSLOGP: list FR_VA_in
	 permitted udp 192.168.80.42(138) (Serial0/0.2 DLCI 120) ->
	 192.60.60.148(138), 1 packet
	Jul  3 00:02:39 router 40110: 4d09h: %SEC-6-IPACCESSLOGDP: list FR_VA_in
	 permitted icmp 192.168.80.82 (Serial0/0.2 DLCI 120) -> 149.1.1.1 (8/0),
	 1 packet

       or

	Aug 19 04:02:34 gateway.foo.bar 218963: Aug 19 04:02:32.977:
	 %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state
	 to down
	Aug 19 04:02:34 gateway.foo.bar 218964: Aug 19 04:02:33.262:
	 %ISDN-6-DISCONNECT: Interface BRI0:1  disconnected from 172605440 acme,
	 call lasted 42 seconds
	Aug 19 04:02:35 gateway.foo.bar 218965: Aug 19 04:02:33.266:
	 %LINK-3-UPDOWN: Interface BRI0:1, changed state to down
	Aug 19 04:02:38 gateway.foo.bar 218966: Aug 19 04:02:36.103:
	 %SEC-6-IPACCESSLOGP: list 102 denied tcp 100.198.139.148(4652) ->
	 100.193.176.49(80), 1 packet
	Aug 19 04:02:45 gateway.foo.bar 218967: Aug 19 04:02:43.543:
	 %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0, TEI 86 changed to down
	Aug 19 04:02:53 gateway.foo.bar 218968: Aug 19 04:02:51.471:
	 %SEC-6-IPACCESSLOGP: list 102 denied tcp 100.74.103.1(2162) ->
	 100.193.176.98(80), 1 packet

       The outputted dlf files look like:

	994118619 permitted icmp 192.168.80.9 - Serial0/0.2 DLCI_120
	 192.168.19.1 - 1
	994118619 permitted udp 192.168.19.1 138 Serial0/0.2 DLCI_120
	 192.168.19.255 138 1

EXAMPLES

       To process a log as produced by Cisco IOS:

	$ cisco_ios2dlf < cisco.log

       cisco_ios2dlf will be rarely used on its own, but is more likely called by lr_log2report:

	$ lr_log2report cisco_ios < /var/log/cisco.log

AUTHORS

       Francis J. Lacoste based on initial code by Joost Bekkers <joost@jodocus.org>

VERSION

       $Id: cisco_ios2dlf.in,v 1.8 2006/07/23 13:16:35 vanbaal Exp $

COPYRIGHT

       Copyright (C) 2001 Joost Bekkers <joost@jodocus.org> Copyright (C) 2002 Stichting LogReport Foundation <logreport@logreport.org>

       This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by
       the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

       This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.

       You should have received a copy of the GNU General Public License along with this program (see COPYING); if not, check with
       http://www.gnu.org/copyleft/gpl.html.

Lire 2.1.1							    2006-07-23						       CISCO_IOS2DLF.IN(1)

Check Out this Related Man Page

IptablesDlfConverter(3pm)				  LogReport's Lire Documentation				 IptablesDlfConverter(3pm)

NAME

       IptablesDlfConverter - convert netfilter/iptables syslog logs to firewall DLF

DESCRIPTION

       IptablesDlfConverter converts Linux 2.4 iptables packet log into firewall DLF format.

LIMITATIONS

       The netfilter logging modules don't log the status of the packet (drop, accept, reject) like the ipchains logging code. You can specify a
       prefix that will be used in the log. This converter will mark the packet as 'denied' whenever that prefix matches (case insensitive) the
       following regex: 'denied|deny|drop|reject|unallowed', it will mark the packet as 'permitted' whenever that prefix matches (case
       insensitive) the following regex: 'accept|permit', and all other packets will have '-' as the value of the 'action' field.

       So in order for this converter to detect 'denied' packets, you should use a prefix containing one of those substrings.

       For example:

	iptables -N lodrop
	iptables -A logdrop -j LOG --log-prefix "Packet-DENY: "
	iptables -A logdrop -j DROP

       or other similar prefixes: 'denied: ', 'Packet-REJECT: ', ...

       The prefix used will end up in the 'rule' field of the DLF record.

EXAMPLES

       IptablesDlfConvertor will be rarely used on its own, but is more likely called by lr_log2report:

	$ lr_log2report iptables < /var/log/iptables.log > report

SEE ALSO

       The Netfilter webpage at http://netfilter.samba.org/ .

AUTHORS

       Francis J. Lacoste <flacoste@logreport.org>

VERSION

       $Id: IptablesDlfConverter.pm,v 1.12 2006/07/23 13:16:35 vanbaal Exp $

COPYRIGHT

       Copyright (C) 2001, 2002, 2003, 2004 Stichting LogReport Foundation LogReport@LogReport.org

       This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by
       the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

       This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.

       You should have received a copy of the GNU General Public License along with this program (see COPYING); if not, check with
       http://www.gnu.org/copyleft/gpl.html.

Lire 2.1.1							    2006-07-23						 IptablesDlfConverter(3pm)
Man Page