SSH and FWReport Integration By Chris Travers Feb 23, 2003 email@example.com Introduction: ============== Many linux-based firewalls are simple systems. IPTables does not require much available memory or processing power. Additionally the data analysis occurs entirely in memory, so if there are a large number of lines in the report, it is possible to exhaust the memory on the firewall while trying to parse the report. When this happens, the report is never delivered. Also, many firewalls do not contain Perl interpreters, so running FWReport on these devices is not possible. Nonetheless, it is possible to use FWReport to analyze the log files in these cases if sshd or a similar program is installed on the firewall. To do this you will need: 1) Sshd installed onthe firewall 2) A scriptable ssh program on the client (such as from OpenSSH). 3) FWReport 1.1.1 or later on the analyzing system How it Works: ============= FWReport 1.1.1 and higher support STDIN inputs via the -s switch. When this switch is used, FWReport takes its input from the standard input rather than from a file on disk. This provides a great degree of flexibility regarding the integration of FWReport with other tools, such as cat and grep. The ssh client from OpenSSH enables you to run commands on a remote system and the output is directed to the standard output of the ssh client program. We simply pipe ssh's standard output to fwreport's standard input. A Basic Example: ================ The simplest way to generate a report over ssh is to do something like: ssh user@host cat /var/log/messages | fwreport -sm `date +%b` Of course, you can also filter using grep, concatinate many files, etc. using this method. If you need to specify keys, or are using another SSH client, you should consult the documentation on your client. And additions, suggestions, etc. are welcome.