--- /dev/null
+# $Id: fwlogwatch.config 715 2010-10-22 14:21:15Z bw $
+#
+# Sample fwlogwatch configuration file
+#
+# The values filled in or mentioned in the description are the default values,
+# you only need to uncomment an option if you change it's value.
+# Valid parameters to binary options are on/yes/true and off/no/false.
+# Whitespace and comments are ignored anywhere in the file, case does not
+# matter.
+
+
+### Include files ###
+# The option 'include_file' can be used to include external configuration
+# files.
+#
+#include_file =
+
+
+### Global options ###
+# Use 'verbose' if you want extra information and log messages.
+# Use it twice for even more info. fwlogwatch is quiet by default.
+# Command line option: -v[v]
+#
+#verbose = no
+#verbose = no
+
+# Use 'resolve_hosts' if you want IP addresses looked up in the DNS (output
+# will be slower).
+# 'resolve_services' enables lookup of port numbers in /etc/services.
+# Command line options: -n / -N
+#
+#resolve_hosts = no
+#resolve_services = no
+
+# If your logs contain private IP addresses that are not resolvable through
+# DNS but you want reports with meaningful host names you can inject your
+# own list of IP/name pairs (in the same format as /etc/hosts) into the DNS
+# cache with the 'dns_cache' option. fwlogwatch will not modify this file.
+# Command line option: -i <file>
+#
+#dns_cache = /home/user/my_hosts.txt
+
+# Specify the input file(s) if you don't want to use the default. Use one line
+# for each file. Compressed files (gzip) are supported. You can use '-' for
+# standard input (stdin). In realtime response mode the daemon needs the
+# absolute path to the file.
+# Command line option: [file(s)]
+#
+#input = /var/log/messages
+
+
+### Evaluation options ###
+# You can select which parsers you want to use if you don't want fwlogwatch
+# to check for all known log formats. You can choose one or a combination
+# of:
+#
+# i ipchains
+# n netfilter
+# f ipfilter
+# c Cisco IOS
+# p Cisco PIX/ASA
+# e NetScreen
+# l Elsa Lancom
+# s Snort
+#
+# Command line option: -P <format>
+#
+#parser = infcp
+
+# The following six options define which criteria will be considered when
+# comparing logged packets. You can turn off the source or destination IP
+# address distinction ('src_ip'/'dst_ip') or activate the protocol, source
+# and destination port and TCP option distinction
+# ('protocol'/'src_port'/'dst_port'/'tcp_opts').
+# Command line options: -S / -D / -p / -s / -d / -y
+#
+#src_ip = on
+#dst_ip = on
+#protocol = off
+#src_port = off
+#dst_port = off
+#tcp_opts = off
+
+# The following eight options permit to select and/or exclude certain
+# hosts or ports. Rules can be added and combined, source and destination
+# hosts and ports are differentiated, specifying networks is possible in
+# CIDR format.
+# Command line option: -E <format>
+#
+#exclude_src_host =
+#exclude_src_port =
+#exclude_dst_host =
+#exclude_dst_port =
+#include_src_host =
+#include_src_port =
+#include_dst_host =
+#include_dst_port =
+
+# The following four options permit to include and/or exclude chain and
+# branch (target) strings such as "input", "forward", "output" and
+# "accept", "deny", "pass", "block", "p", etc. Use one string per line
+# without quotes. Including a string causes all others to be excluded.
+# Command line option: -E <format>
+#
+#exclude_chain =
+#include_chain =
+#exclude_branch =
+#include_branch =
+
+
+### Sorting options ###
+# Since the sort algorithm used is stable you can sort several times,
+# entries that are equal for the primary criteria will be sorted by the
+# next criteria. The sort string can be composed of 11 fields of the form
+# 'ab' where 'a' is the sort criteria:
+#
+# c count
+# t start time
+# e end time
+# z duration
+# n target name
+# p protocol
+# b byte count
+# S source host
+# s source port
+# D destination host
+# d destination port
+#
+# and 'b' the order:
+#
+# a ascending
+# d descending
+#
+# Sorting is done in the given sequence, so the last option is the primary
+# criteria. If you don't use the 'sort_order' option the summary mode
+# default 'tacd' will be used (start with the highest count, if two counts
+# match list the one earlier in time first), of which 'ta' is built in, so
+# if you specify an empty sort string or everything else is equal entries
+# will be sorted ascending by time. In realtime response mode the default
+# is 'cd'.
+#
+# Command line option: -O <order>
+#
+#sort_order =
+
+
+### Output options ###
+# With the option 'title' you can change the title of the summary and the
+# status page and the subject of summaries sent by email.
+# The default title in summary mode is 'fwlogwatch summary' and in realtime
+# response mode it is 'fwlogwatch status'.
+#
+#title =
+
+# With the option 'stylesheet' you can make fwlogwatch omit the inline CSS
+# used to define the page colors and reference an external stylesheet.
+# In summary mode the string you specify will be taken as it is and used in a
+# link tag, in realtime response mode this only happens if it is an external
+# URL and starts with "http", else a local file will be assumed and embedded
+# at the corresponding position.
+#
+#stylesheet =
+
+# With the following four options you can customize the colors of the HTML
+# output (summary and realtime response status page), use the RGB value
+# with '#' or directly one of the 16 basic HTML color names (aqua black
+# blue fuchsia gray green lime maroon navy olive purple red silver teal
+# white yellow).
+#
+#textcolor = white
+#bgcolor = black
+#rowcolor1 = #555555
+#rowcolor2 = #333333
+
+
+### Log summary mode ###
+# Use 'data_amount' if you want so see the sum of total packet lengths for
+# each entry (this obviously only works with log formats that contain this
+# information).
+# Command line option: -b
+#
+#data_amount = no
+
+# Use 'start_times' and/or 'last times' if you want to see the timestamp
+# of the first and/or last logged packet of each entry.
+# Command line options: -t / -e
+#
+#start_times = no
+#end_times = no
+
+# Use 'duration' if you want to see the time interval between the first and
+# the last connection attempt of the current entry.
+# Command line option: -z
+#
+#duration = no
+
+# Use 'html' to enable HTML output.
+# Command line option: -w
+#
+#html = no
+
+# Specify the name of an output file
+# Command line option: -o <file>
+#
+#output =
+
+# Use 'recent' to ignore events older than a certain time (off by default).
+# The default unit is seconds.
+# Units: m = minutes, h = hours, d = days, w = weeks, M = months, y = years.
+# Command line option: -l <time>
+#
+#recent =
+
+# Use 'at_least' to hide entries that have a small number of counts (useful
+# when analyzing large log files).
+# Command line option: -m <count>
+#
+#at_least = 1
+
+# Use 'maximum' to limit the number of entries shown (e.g. for a "top 20"),
+# restricted by the 'at_least' option. Zero shows all entries.
+# Command line option: -M <number>
+#
+#maximum = 0
+
+# Use 'whois_lookup' if you want information about the source IP addresses
+# looked up in the whois database (this is slow, please don't stress the
+# registry with too many queries).
+# Command line option: -W
+#
+#whois_lookup = no
+
+# Use 'sender' to specify your email address for abuse reports.
+# The default is <user>@<hostname>.
+# Command line option: -F <email>
+#
+#sender =
+
+# Use 'recipient' to specify the email address of the abuse contact or CERT
+# you want to send reports to. If used in log summary mode the summary will
+# be sent to this address by email (in plain text or HTML as selected with
+# the -w option and the content of the title option as subject).
+# Command line option: -T <email>
+#
+#recipient =
+
+# You can use 'cc' to send a carbon copy of the report (e.g. to you for
+# your archives or a second abuse or CERT contact).
+# Command line option: -C <email>
+#
+#cc =
+
+
+### Realtime response mode ###
+# Use 'realtime_response' to turn this mode on. You can change the
+# configuration file while fwlogwatch is running and have it reread it
+# by sending the HUP signal.
+# Command line option: -R
+#
+#realtime_response = no
+
+# If 'ipchains_check' is activated (and the ipchains parser is selected),
+# fwlogwatch will verify that ipchains rules are set up correctly.
+#
+#ipchains_check = no
+
+# With the 'pidfile' option you can specify a file fwlogwatch will use to
+# keep it's PID so it can receive signals from scripts. If not specified it
+# will not be created.
+# Suggested value: /var/run/fwlogwatch.pid
+#
+#pidfile =
+
+# Use the 'run_as' option to make fwlogwatch capable of binding a
+# privileged port and opening a protected log file as root and then (as
+# daemon) change it's user and group ID to a non-privileged user (a security
+# feature). Please note that reopening a protected log file (e.g. after a
+# kill -USR1) will not be possible once privileges are released. Also
+# remember that you can use fwlogwatch without status web server or with an
+# unprivileged port and with enough permissions to read a log file to run it
+# entirely as user, but you will not be able to execute response scripts
+# that need root privileges (e.g. to modify a firewall).
+# Suggested value: nobody
+#
+#run_as =
+
+# The option 'stateful_start' is enabled by default and causes fwlogwatch
+# to read in the full log file at start and remember all entries that are
+# within the 'recent' parameter (and notify and/or react to them if
+# configured to do so). When disabled, fwlogwatch will jump to the end of
+# the log file and start with an empty packet cache.
+#
+#stateful_start = yes
+
+# Use 'alert_threshold' to define how many connections must happen (within
+# the 'forget' time range) to activate an alert/response.
+# Command line option: -a <count>
+#
+#alert_threshold = 5
+
+# Use the option 'recent' as in log summary mode above to control how long
+# an event should be relevant. After the specified time it is forgotten and
+# if another connection attempt is started it is treated as new. The default
+# for 'recent' in realtime response mode is 1 day.
+# Command line option: -l
+#
+#recent =
+
+# An alert is logged to syslog by default, you can add predefined and/or
+# custom notification and response functions using the fwlw_notify and
+# fwlw_respond scripts that are executed if 'notify' and 'respond'
+# respectively are specified here.
+# Command line options: -A / -B
+#
+#notify = no
+#respond = no
+
+# Alternative paths for the notification and response scripts can be
+# specified with the 'notification_script' and 'response_script' options.
+#
+#notification_script = /usr/local/sbin/fwlw_notify
+#response_script = /usr/local/sbin/fwlw_respond
+
+# Known hosts are those that will not be warned about or actions taken
+# against, even if they match the alert/response criteria.
+# Use 'known_host' for your trusted gateways, peers and DNS servers (this
+# is an anti-spoofing measure). You can specify single IP addresses or
+# networks in CIDR notation (e.g. 192.168.1.0/24).
+# Command line option: -k <IP/net>
+#
+#known_host =
+#known_host =
+
+# You can see which hosts fwlogwatch knows about and which ones it is
+# watching at any time through it's web interface. Use the 'server_status'
+# option to activate the web server in fwlogwatch, 'bind_to' is the IP
+# address of the interface to be bound (defaults to the local host, 0.0.0.0
+# means all), 'listen_port' is the port it will listen on. 'listen_to'
+# allows to restrict access to a single IP address. fwlogwatch will want to
+# authenticate the user, that's what 'status_user' and 'status_password'
+# are for. The password must be a standard Unix DES encrypted password
+# including salt, you can for example use
+# htpasswd -nb user password
+# to generate one. Finally, 'refresh' activates automatic reloading of the
+# status page, the parameter is the time in seconds.
+# Command line option: -X <port>
+#
+#server_status = no
+#bind_to = 127.0.0.1
+#listen_port = 888
+#listen_to =
+#status_user = admin
+#status_password = 2fi4nEVVz0IXo
+#refresh =
+
+
+### Show log times mode ###
+# Use this mode to display the number of lines and the time of the first and
+# last entry in a log file. Unlike the summary mode report this does not show
+# the time of the first and last packet log entry but the time of the first
+# and last entry overall. No other action is performed. Compressed files
+# (gzip) are supported. Use the command line and/or the input option to
+# specify the files to show.
+# Command line option: -L
+#
+#show_log_times
+
+
+### EOF ###
projects / zenbook / commitdiff