SSH and FWReport Integration
By Chris Travers
Feb 23, 2003
chris@travelamericas.com
Introduction:
==============
Many linux-based firewalls are simple systems. IPTables does not require much
available memory or processing power. Additionally the data analysis occurs
entirely in memory, so if there are a large number of lines in the report, it
is possible to exhaust the memory on the firewall while trying to parse the
report. When this happens, the report is never delivered. Also, many
firewalls do not contain Perl interpreters, so running FWReport on these
devices is not possible.
Nonetheless, it is possible to use FWReport to analyze the log files in these
cases if sshd or a similar program is installed on the firewall. To do this
you will need:
1) Sshd installed onthe firewall
2) A scriptable ssh program on the client (such as from OpenSSH).
3) FWReport 1.1.1 or later on the analyzing system
How it Works:
=============
FWReport 1.1.1 and higher support STDIN inputs via the -s switch. When this
switch is used, FWReport takes its input from the standard input rather than
from a file on disk. This provides a great degree of flexibility regarding the
integration of FWReport with other tools, such as cat and grep. The ssh client
from OpenSSH enables you to run commands on a remote system and the output is
directed to the standard output of the ssh client program. We simply pipe
ssh's standard output to fwreport's standard input.
A Basic Example:
================
The simplest way to generate a report over ssh is to do something like:
ssh user@host cat /var/log/messages | fwreport -sm `date +%b`
Of course, you can also filter using grep, concatinate many files, etc. using
this method. If you need to specify keys, or are using another SSH client,
you should consult the documentation on your client.
And additions, suggestions, etc. are welcome.