Hi;
Trying to marry up some of the reports in the Astaro, against Splunk.
In the UTM Logging and Reporting section, Network Protection, Daily report.
I'm trying to work out, exactly what events make up the graph.
below is one of the records that Splunk recorded
Dec 20 21:19:43 astaro 2013: 12:20-21:19:43 ulogd[4443]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="ppp0" srcip="456.456.456.456" dstip="123.123.123.123" proto="6" length="44" tos="0x00" prec="0x00" ttl="228" srcport="44655" dstport="426" tcpflags="SYN"
Here is another record from Splunk
Dec 20 21:19:43 astaro 2013: 12:20-21:19:43 ulogd[4443]: id="2103" severity="info" sys="SecureNet" sub="ips" name="SYN flood detected" action="SYN flood" fwrule="60012" initf="ppp0" srcip="456.456.456.456" dstip="123.123.123.123" proto="6" length="44" tos="0x00" prec="0x00" ttl="228" srcport="44655" dstport="421" tcpflags="SYN"
I'm trying to decipher which of the above fields are common, and will allow me to pick up all the UTM "Firewall Violations", so far sys="SecureNet" and sub="ips" stand out. I'm guessing id and fwrule (provided I can work out the complete list of matching numbers) would be another good starting point.
Is there a list of all "id" numbers and what they mean, likewise fwrule list..
Trevor..
This thread was automatically locked due to age.
