2.6. Logs AW

2.6.1. Introduction

The Logs AW Consists of four sub-pages - other, web proxy, firewall and intrusion detection system. These share a common set of interface features to select the log information to be displayed, and to export that information to your local machine. Dropdown Month: and Day: lists in the Settings: area of the AW for are provided to allow you to select Logs information for preceding days and months. Each time that you select a new combination of Month: and Day:, you must also click on the Update button before the Logs information will be updated. When you first select a sub-page, the Logs information displayed will be that for the current date.

The Logs information appears as a list in the main section of the window (usually labeled Log:). If that list is too long to fit into a reasonably sized window, only the latest Logs information is displayed. In that situation, the Older and Newer links at the bottom of this section of the window become active and you may use these to page through the list of Logs data.

Pressing the Export button downloads a text-format file (log.dat), containing the information from the current Logs AW page, from the IPCop server to your computer. Depending on how your computer is set up, pressing the Export button will initiate a file download dialogue on your computer, show the contents of log.dat in your web browser window, or open the file in a text editor. In the latter cases, you can save log.dat as a text-format file if required.

2.6.2. Other:

This page allows you to view the system and other miscellaneous Logs. (See the beginning of this Section on how to use the Month:, Day:, and Update controls). There are nine different categories, selected via the Section dropdown list:

  • IPCop (default) - general IPCop events like PPP profile saving and connection ("PPP has gone up on ppp0 ") and disconnection ("PPP has gone down on ppp0 ") of dialup modem links.

  • PPP - traffic sent over the interface that is providing the PPP interface for IPCOP. This includes the data strings sent to, and received from modems and other network interfaces. This can be a very useful resource in troubleshooting "failure to connect" situations.

  • ISDN - shows a log of activity related to any ISDN Terminal Unit connected to the IPCop server.

  • DHCP server - shows a log of activity for the DHCP Server function within IPCop.

  • SSH - provides a record of users who have logged in to, and out of the IPCop server over a network via the SSH interface.

  • Login/Logout- provides a record of users who have logged in to, and out of the IPCop server. This includes both local log-ins and logins over a network via the SSH interface.

  • Kernel - is a record of kernel activity in the IPCop server.

  • IPSec - is a record of activity of IPSec - the VPN software module used by IPCop.

  • Update transcript - is a log of the results of any updates applied to the IPcop software via the System > Update window.

2.6.3. Web Proxy:

This page provides you with the facility to see the files that have been cached by the web proxy server within IPCop. The web proxy is inactive after first installation of IPCop, and may be activated (and deactivated) through a specific administration page ( Services > web proxy).

Note

Due to the large amount of information that has to be processed, the Web Proxy page can take an appreciable time to appear after its initial selection or an Update.

There are several controls on this page in addition to the Month:, Day:, and Update controls described at the beginning of this Section:

  • The Source IP: dropdown box allows you selectively look at web proxy activity related to individual IP addresses on the local network, or the activity related to ALL machines that have used the proxy.

  • The Ignore filter: box allows you type in a regular expressions text string to define which file types should be omitted from the web proxy Logs. The default string hides image files (.gif, .jpeg, .png & .png), stylesheet files (.css) and javascript files (.js).

  • The Enable ignore filter: tick box allows you to control whether the Ignore filter: is active or not.

  • The Restore defaults button allows you to return the above controls and filters to their defaults.

For this page, the Logs information appearing in the Log: section of the window consists of:

  • The Time the file was requested and cached.

  • The Source IP address of the local system requesting the file.

  • The Website - or more precisely the URL for each file requested and cached.

Note

The Website URL entries in these Logs are also hyperlinks to the referenced web pages or files.

2.6.4. Firewall:

This page shows data packets that have been blocked by the IPCop firewall.

Note

Not all denied packets are hostile attempts by crackers to gain access to your machine. Blocked packets commonly occur for a number of harmless reasons and many can be safely ignored. Among these may be attempted connections to the "ident/auth" port (113), which are blocked by default in IPCop.

The controls on this page are the basic Month:, Day:, and Update controls that are described in detail at the beginning of this Section.

The Firewall log: section of this page contains an entry for each of packet that were "dropped" by the firewall. Included is the time of the event, the Source and Destination IP addresses and ports for the dropped packet, the protocol used for that packet, and the IPCop Chain and Interface involved.

Each IP address in the list also has an associated checkbox. You can use these checkboxes to obtain information about the listed IP addresses. To do this, click one or more of these checkboxes and then the Lookup button at the bottom of the list. IPCop then performs a DNS lookup for each IP address, and reports any available information about its registration and ownership.

2.6.5. Intrusion Detection System:

This page shows incidents detected by the IPCop Intrusion Detection System (IDS). The IDS system is inactive after first installation of IPCop, and may be activated (and deactivated) through a specific administration page (System > intrusion detection system).

The controls on this page are the basic Month:, Day:, and Update controls that are described in detail at the beginning of this Section. These allow you to examine the IDS Logs for a specific day. These Logs consist of a number of items for each detected incident:

  • The Date: and time of the incident.

  • Name: - a description of the incident.

  • Priority: (if available). This is the severity of the incident, graded as 1 ("bad"), 2 ("not too bad"), & 3 ("possibly bad").

  • Type: - a general description of the incident (if available).

  • IP Info: - the IP identities (address & port) of the source and target involved in the incident. Each IP address is a hyperlink, which you can use to perform a DNS lookup for that IP address and obtain any available information about its registration and ownership.

  • References: - hyperlinked URLs to any available sources of information for this type of incident.

  • SID: - the Snort ID number (if available). "Snort" is the software module used by IPCop to provide the IDS function, and SID is the ID code used by the Snort module to identify a particular pattern of attack. This parameter is hyperlinked to a web page carrying the relevant entry on the Snort database of intrusion signatures.