Ideas for a script to access remote FTP and download logfile output?

[Shuxclams]

Here is what I am wanting to do. I have a Linux IPMASQ that firewalls www servers, I have configured the W2K servers to log everything and want to create an log.txt file that will be placed in the FTP directory, then on the Linux box I need a script that will automatically log onto the FTP, D/L the log.txt file to the /var/log/ directory and then I need to configure logcheck so that it reads the log.txt file for various "flags" so that portsentry will act accordingly. After posting all of this I am positive there isn't a snoballs chance in hell..........



SHUX

 

[Engine]

Well, I don't know much about bash scripts (I have _very_ limited experience with them), but there's probably an easy way to do this... at least, the ftp part.

The ftp on Linux has a -s flag for executing scripts, right? If so, then just make a file called script and make it look something like this:

username
password
lcd /var/log
get log.txt
bye

And then in your script have a line kinda like this
ftp -s script ftp.shuxclams.com

As far as configuring logcheck and stuff like that....

Hope this helped. Or, if it didn't that I didn't misunderstand your question so badly that I sounded patronizing or something

 

[Shuxclams]

The Linux side of this would be very much like that. I think I should have broken the description down into 3 parts after looking at this.

1. I need a script or S/W that will parse W2K logfiles into one output file that can be read by Psionic Logcheck/Portsentry. That script can be run with task scheduler. Basically it would have to parse the logs, format then (if needed) and place the output into the FTP.

2. I need a script, along the lines of what you described, that would be run through crontab on intervals throughout the day that would do this. FTP to my www server and D/L the output file into the /var/log directory.

3. I need to configure Logcheck so that it scans those logs as well as the ones it does already for flags that also need to be added.

As I said I am pretty sure its pie in the sky thinking here but it seems like its possible, maybe....?! LOL Thanks for your input, that (the simple bash script) will probably be the easist part
of doing this. Again Thanks for your help.



SHUX

 

[Shuxclams]

The part that really needs attention in the W2K script is the formatting so that it matches the output of syslog so it can be read by logcheck/portsentry.

This is typical syslog format;
Oct 22 04:02:00 portal anacron[8613]: Updated timestamp for job `cron.daily' to 2000-10-22

so its like this if you missed it..

Month Day Time Computer action[PID]: comment


This would be the format of the log.evt for W2K;

2000-10-26 15:59:09 208.134.205.211 - XX.XXX.XXX.XX 80 GET /Pics/Family00.jpg - 200 Mozilla/4.75+[en]+(Win98;+U)

Or

date-time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(user agent)

Now I wish I had some reall proggramming experiance....



SHUX

 

[denali]

Send me an axample input file and the output format and I'll see what I can do. Is this going to run on the Linux box, this sounds like a perfect use of Perl BTW.

 

[Shuxclams]

Denali,
will have to run a program on the W2K machine to parse the logs and convert and format them so syslog can interpret it. Then I will need to create script that will run on Linux IPMASQ to access the W2K FTP site and D/L that output file created by the afore mentioned script into the /var/log directory, then Logcheck/Portsentry have to be modified to read the flags contained in the original output file from the W2K machine. This is all to enable better security in regards to DDoS, buffer overflow and general hack attempts so that portsentry can filter them off my network and servers. As of now I have to look at my server logs and go through all the FTP and WWW data, when I find something than I deny them access through IIS 5 IP Filtering but the Linux IPMASQ does a much better and more secure job of denying ALL access, I want to automate as much of this as possible.



SHUX