It can also be used to parse an existing log file or take log data on standard input for formatting.
Create the FIFO that syslog will write to by using the command "mkfifo". See the mkfifo(1) man page for instructions.
Add a directive to your syslog configuration file which will send log data to the pipe. See the syslog.conf(5) man page for instructions.
Example (in /etc/syslog.conf):
Restart syslog to start sending data to the FIFO.
firelogd -e firstname.lastname@example.org
This option can also be useful if the program is otherwise terminated ungracefully. If this happens, a stale pid file will remain. The '-k' option removes the pid file.
This option can not be used if there is a firelogd daemon process already running. If daemon is already runing, use the '-' flag (above) to parse a particular file.
This option does impose a performance penalty, so don't use it if you don't need it.
Output templates are simply a file with space delimited tokens, any single word or collection of characters is a token. The token '$' is simply a three character token with no special meaning. In the output for each log entry, the token '$' would stand for itself with no whitespace around it.
There are special tokens that will get replaced with log data or whitespace. One example of this is the two character token nl. It will cause a newline to be output in it's place for each log entry. The token sp will output a space character. An actual space in the template file is required to distinguish one token from another, but it will not print anything in the program's output.
Two other special tokens are: srcip and r_srcip
srcip will be replaced with the source IP address of the host that logged an alert on your firewall and r_srcip will output the resolved hostname (if available).
A simple output template then could consist of the following:
The sp host sp r_srcip sp - sp IP sp address sp srcip nl hit sp me sp on sp month sp day sp at sp time sp YIKES !! ! nl nl
The previous template in a file named template in the current directory would show the following for three firewall hits using the command:
tail -3 /var/log/kernel | firelogd -t template -
The host badman.crack.nl - IP address 188.8.131.52
hit me on Dec 1 at 12:20:37 YIKES!!!
The host 10.0.0.1 - IP address 10.0.0.1
hit me on Dec 1 at 12:53:01 YIKES!!!
The host ovia.com.ar - IP address 184.108.40.206
hit me on Dec 2 at 18:15:41 YIKES!!!
The special tokens are actually variable names in the data structure which hold the log data. If you want to use one of the special token names you can split it up into two tokens and they becomes just themselves.
All tokens and replacements are concatenated together on output. The special token time can be written as two tokens: ->ti<- and ->me<-. Together they will print time in the output with no replacement. The single token time would print something like 12:20:37 in the output.
You can put comments into your template file by using the special tokens:
TCP/UDP SERVICE PORTS
The token recursed will output a complete log entry corresponding to the information from the packet that triggered the ICMP error message. The context information (date, time) is set to the context of the ICMP packet. The log message TRIGGERING PACKET denotes these entries. This is not possible with ipchains.
Some of the fields are specific to netfilter/iptables. Ipchains log data will produce a blank field ("") for these tokens. Example: recursed, prec
Please report any bugs or update requests to the author.