Question about Logs
Michael Tokarev
mjt@tls.msk.ru
Mon, 05 Jun 2000 22:08:03 +0400
David Cruz Langreo wrote:
>
> I wasn't thinking of that..
>
> It's gonna be installed on the office firewall
> and we need to know what IP's are moving more traffic, and
> what's the total amount of traffic moved from the in-network to the
> out-network.
>
Huh, is it will be simplier to just periodically dump counters on rules
to separate log file? If you need just accounting, that's all that you
need, without worriyng about parsing that stuff and having huge logs...
I run this here. I marks interesting packets with fwmark (-m flag to
ipchains), in some way (say, each ip will have one number assigned,
and each service on ip also, and we have:
ip1 srv1 0x0101
ip1 srv2 0x0102
...
ip2 srv1 0x0201
...
)
With this, you can dump counters each 10 minutes (or once a day) and on
shutdown, and you will have something like:
<date1> 0101:<packets>:<bytes> 0102:<packets>:<bytes> ...
...
for each dump (with zeroing).
After this, you will need just summarize those, and that's all.
I wrote a tiny program on C to dump counters to log file, and a three-line
perl script to summarize this...