Murus Logs Visualizer Manual (PDF Rev 1.0)
Contents
1. 192 168 2 2 54852 gt en 192 168 2 2 54852 gt o o l G A x x x x r 0 61 160 213 54 915 gt Shell Terminal Another way to display the PF log file is the shell Terminal This is probably the most favorite choice for unix savvy users The OS X Terminal app is located in Applications Utility directory To display the current PF log file the user needs to issue this shell Command cat var log pffirewall log This Command will display the PF firewall until the end To display it one page at a time the shell command is more var log pffirewall log These two commands above will display only the saved file and will not update showing new logs unless you retype these commands In order to display realtime logs the user needs to run this shell command sudo usr sbin tcpdump Inettti pflogO the Terminal will ask the user to authenticate because this command needs root privileges in order to work so the user must be an administrator This shell command will display realtime PF logs To stop it press Control C Chapter 3 Displaying PF Logs Learn how to alsplay FF logs using Murus Logs Visualizer 1 Realtime Simplified PF Logs 2 Realtime Connections 3 FF LOGS Slals cs MURUS LOGS VISUALIZER MANUAL ov 7 0 9 1 Realtime Simplified PF Logs e ee To open the Realtime Simplified PF Logs window select the main Murus Logs Visualizer menu and click the sixth button A new window will open Th2. The item is not ignored anymore MURUS LOGS VISUALIZER MANUAL rev 1 0 12 Analyze a port clicking the button A popover will show up This popover lists all addresses involved with this port Addresses are sorted by records Records are displayed on the right 23 123 166 92 201 60 5 123 4 46 147 77 130 81 105 90 220 676 Ports BE 137 8333 23 1433 5060 80 777129 100 92 ZU1 77 445 4 69 57 254 18 3 3306 81 105 90 220 3 22 3 46 147 77 130 3 A Analyze an IP Address clicking the button The popover will show all ports for selected IP 198 199 98 246 Inbound Blocked Connections 22 Ports QOQO Addresses 23 137 46 192 168 2 1 23 18 198 199 98 246 8333 16 162 243 132 6 1433 9 60 5 123 4 22 9 222 186 56 2 5060 123 166 92 201 80 6 69 57 254 18 445 4 81 105 90 220 3306 4 46 147 77 130 Please note that in both cases data shown are taken only from the Realtime connections windows and not from the log file So data displayed in these windows and popovers are calculated on logs produces since the last application start MURUS LOGS VISUALIZER MANUAL ov 7 0 13 3 PF Logs Statistics This Murus Logs Visualizer window displays statistics about saved PF log files including archived files Click the sixth button in the Murus Logs Visualizer main menu to open Logs Statistics window This window displays two separated statistics one for IP addresses and one
3. The Ports magnifier button will open a popover which further displays statistics about selected port The popover shows a list of IP addresses involved with selected port Addresses are sorted by records The user can get more information about these IP addresses selecting an address in the list and clicking the magnifier button
4. appended to the bottom of the list The user can choose to focus on each new log lines selecting the Auto scroll to bottom button in the toolbar When selected the button stays highlighted When this option is unchecked new logs will still be appended to the end of the logs list but the window will not automatically scroll to bottom While being constantly updated this window will display a lot of log lines The Max displayed slider is used to set the maximum number of displayed log lines If the logs view exceeds this value then the oldest log lines will be removed from the view Click the Clear All toolbar button to delete all log lines from the current view Please note that no log lines will ever be removed from PF log file The PF log file cannot be modified by Logs Visualizer MURUS LOGS VISUALIZER MANUAL ov 7 0 10 Murus Logs Visualizer Tryout is feature limited The two sliders cannot be used and the user can read only a fixed number of PF log lines Log lines structure VW Nov 25 1 19 end 183 99 92 100 GP 50 192 168 2 2 Each log line contains the following parameters An icon displaying the action block or pass and the direction inbound or outbound Date time Network interface BSD name This is the network interface for the logged connection Connection Source represented by an IP address a TCP or UDP port and a Murus Service icon matching this port Connection Destination represented
5. by an IP address a TCP or UDP port and a Murus Service icon matching this port The Source Destination port icon is taken from Murus In case a port matches more than one Murus Service the displayed icon will match the first service in the Murus Services Library Inspect log lines P block in Select a log line and double click it to open the Log 25 Nov 03 07 06 eno Inspection popover This popover displays the log lines parameters and includes also the original complete PF log line The user can further investigate parameter clicking the magnifier buttons to display information about ports and IP addresses including DNS WHOIS and GEOIP records m N Source IP Address and Port 123 193 47 15 G 52050 a Target IP Address and Port 192 168 2 2 0233 r Q Log Line Nov 25 03 07 06 MacPro local en 00 00 05 995032 rule 32 murus inbound 110 0 mes ch blo end 123 47 15 52050 gt 192 168 2 2 23 Flags S seq ee win 5840 1460 sackOK TS val 574490881 ecr 0 nop wscale 1 len agi 0 MURUS LOGS VISUALIZER MANUAL ov 7 0 11 2 Realtime Connections Windows Vv A This Murus Logs Visualizer feature displays realtime logged Vv connections using four separated windows A Z Blocked Inbound Connections Y Passed Inbound Connections A Blocked Outbound Connections A Passed Outbound Connections To open these windows click buttons 1 4 in Murus Logs Visualizer main menu Murus Logs Visualizer Tryout is
6. feature limited and can only display the Blocked Inbound Connections window Each window is automatically updated inbound Blocked Connections every time a new log is created Each 80890 099 window displays two columns 17 109 10024 8333 162 243 132 6 PORTS list on the left 23 198 199 98 246 IP ADDRESSES list on the right 1433 60 5 123 4 5060 222 186 56 2 Ports and IP Addresses Lists are sa banding populated automatically and k me 3306 81 105 90 220 constantly even if these windows are A 14772 400 closed Each item in Ports and Addresses list can be a Inspected display ports description from etc services database and dns whois geoip addresses information Analyzed displaying graphical statistics based on displayed data and filtering results amp Temporary removed from list in case new log will arrive the item will re appear in the list Ignored item will never appear in the list anymore unless you remove the ignore from the ignore management window The user accesses these four features with four buttons on top of each list To clean all four windows content select the Murus Logs Visualizer main menu and open the Options window Click the Clean all address and port records button to empty all ports and addresses lists Click the Manage Ignore List button to open the Ignores windows Select an entry and click the X button to remote it from list
7. for ports using graphics and lists The user chooses how many PF files to read using the Files toolbar slider By default it is set to 1 meaning it will only read current PF log file The slider maximum value is represented by the total amount of PF log files stored in your var log directory If the slider is blocked at 1 and cannot be changed then it means that you have only one PF log file Choose the maximum number if displayed items for both Addresses and Ports using the Results toolbar slider The user can choose which kind of logs wants to analyze Use the TWO vea Flea L 1 Ras I 2 pamasa B radio buttons matrix to choose between passed or blocked connections and between inbound or outbound connections Click the Generate Statistics button a 5 il r in the toolbar to start calculating 12 7 ske 1 statistics The time needed to 7 x 2 H accomplish this task depends on how Fran roae l m am big are PF log files A progress Hase ae indicator will display the task status apap linge s 1 If no log lines matched the selected maoria a statistics criteria no result will appear Once finished this window will draw results for both Addresses and Ports It is possible to further investigate both selecting an item in the list and clicking the magnifier buttons on top of both lists The Addresses magnifier button will open a popover with WHOIS DNS and GEOIP records for selected IP address
8. VIUrUS ogs Visualizer INDEX Introduction Welcome to Murus Logs Visualizer How to install Murus Logs Visualizer How to start Murus Logs Visualizer How Murus Logs Visualizer works How to start Murus Logs Visualizer at login Reading PF Logs OS X Console app Shell Terminal Displaying PF Logs 1 Realtime Simplified PF Logs Log lines structure Inspect log lines 2 Realtime Connections Windows 3 PF Logs Statistics O ON NO A Aa A A HR OW h a aAa A Oo O Chapter 1 Introduction MURUS LOGS VISUALIZER MANUAL ov 7 0 4 Welcome to Murus Logs Visualizer Murus Logs Visualizer is a tool for monitoring PF log file on OS X 10 9 Mavericks and OS X 10 10 Yosemite It opens as a menulet its icon is displayed in the OS X menu bar on top of the screen near the clock Despite being a companion app for Murus Firewall Murus Logs Visualizer is a standalone application and can be used without Murus To use it as a standalone application you need to manually configure both PF firewall ruleset and PF logging system For the best experience and to use all Murus Logs Visualizer features you need to use it with Murus Murus Logs Visualizer can seamlessly work with Murus Lite Murus Basic and Murus Pro How to install Murus Logs Visualizer To install Murus Logs Visualizer download the ZIP file from www murusfirewall com unzip it and open the DMG disk image file Drag the Murus Logs Visualizer icon to your Applications fold
9. displaying PF logs You can t change the logging policies and you can t change or see the PF ruleset While Murus Logs Visualizer is able to work on the PF logs stream for example ignoring PF logs matching specific patterns it is not able to change or interfere with the PF logging policy The PF log file stored in var log depends exclusively on Murus PF configuration The user doesn t need to be an administrator in order to run Murus Logs Visualizer and doesn t need to authenticate as administrator PF log file permissions allow every user to read it This choice has been made to comply with the ALF logging policies ALF Application Level Firewall the OS X built in application firewall managed by OS X System Preferences log file has exactly the same read write permissions How to start Murus Logs Visualizer at login The user can choose to automatically start Murus Logs Visualizer at login You can do it manually putting Murus Logs Visualizer icon in your user s Login Items in system Preferences Users panel or you can simplify this process clicking the Gear button in Murus Logs Visualizer main menu to open the Options window and clicking the Start Murus Logs Visualizer at user login button in the Murus Logs Visualizer Options window Chapter 2 Reading PF Logs Leam how to read PF log files using tools provided by US X MURUS LOGS VISUALIZER MANUAL ov 7 0 7 OS X Console app The common way to display log file
10. er or wherever you want in your Macintosh HD How to start Murus Logs Visualizer To start Murus Logs Visualizer right click its icon and select Open from popup menu If you have selected to open only application from known developers you OS X system may ask you to confirm in order to open Murus Logs Visualizer for the first time The activation window will appear Insert your registration data email and serial number and click Activate Murus Logs Visualizer to activate it and start it If you don t own a license you can start Murus Logs Visualizer as tryout and use it for 30 minutes Murus Logs Visualizer Tryout is feature limited so you have access only to a restricted set of features Murus Logs Visualizer starts as OS X menu item with an icon near the clock on top right of your Mac screen Click the icon to open the features menu Access all Murus Logs Visualizer features from this menu MURUS LOGS VISUALIZER MANUAL ov 7 0 5 How Murus Logs Visualizer works Murus Logs Visualizer constantly reads the PF firewall log file stored in the hidden directory var log This log file is updated by the PF firewall running in background Murus Logs Visualizer reads and displays PF log lines using different graphical and logical abstractions For this reason it is mandatory to properly configure Murus in order to activate the logging system Please refer to the Murus manual for more information Murus Logs Visualizer is only capable of
11. ht bottom button in the iii uns lp gt 192 a 2 255 137 ar UDP PACKET 137 QUERY un BROADCAST und 86 0 match block in on en 192 168 2 1 137 und 86 0 match block in on en 192 168 2 1 137 und 86 0 match block in on en 192 168 2 1 137 x Nov 28 00 51 44 MacPro local pf 314 0 10 01 009521 rule 31 murus inbound 86 match block in on en 192 168 2 1 137 onsole app window gt 192 168 2 255 137 ar UDP PACKET 137 QUERY REQUEST BROADCAST N N Nov 28 08 51 44 MacPro local pf 314 0 00 00 000009 rule inbound 86 match block in on end 192 168 2 1 137 Z b w 3S 3 s 3s S 6 6 6 6 6 6 6 6 6 r o p gt 192 168 2 255 137 Nor UDP PACKET 137 QUERY BROADCAST 2 1 loc S f 314 ma Console app displays plain log 192 168 2 1 5351 UD ur length 2 daging SAN DER Nov 28 00 52 13 M loc a pf 94 00 00 00 921911 rule 8 match ock out on 192 168 2 1 1900 m length 1 lines While being the most Nov 28 08 52 13 MacPro loc at pf 314 0 00 00 000078 rule 8 match block out on 192 168 2 1 1900 u length 133 Nov 28 08 52 13 M local 00 00 00 000060 rule 8 match ock out on en 192 168 2 2 57675 gt info rmative Way to d isplay PF 1 5351 UD ir er at ef Cal 00 00 14 614953 rule a atch block in on en 192 168 2 2 9064 rls Vaz S seq 674766053 win 16384 length logs it may be confusing a en n en 192 168 2 2 56060 gt o m en
12. is window displays PF log files using a simplified abstraction which shows only some data Each log line is described by icons and text strings When this window is opened PF logs populate this window in realtime and the user may choose to display also a part of the saved PF log file The log view can be cleaned and reloaded at any time using different displaying options Whatever the user chooses to do new incoming logs will be displayed in the current view if the Realtime Simplified PF Logs window is opened If it is closed it will not be updated Realtime Simple Log ORAC m Clear All Max Displayed 3000 Read Lines 1 210 Read Saved Logs To populate the logs view with ie E mus saved logs click the Read saved raed eber logs button in the toolbar To gt 2 4 2122 choose how many rules to read en0 104 192 0 19 192 168 2 2 x 5 x x e mens a use the Read lines slider This 5 T slider sets the number of log pe rt lines to be displayed when end 104 192 0 19 192 168 2 2 L L end 23 244 230 41 2 clicking Read saved logs The 2 mes number of displayed lines will a 20 ce increase when new logs are ee fa ous recorded 218 77 79 38 192 168 2 2 amp If you set the slider to a value which is higher than your actual number of log lines then the slider will automatically restore itself to the correct value The logs view is constantly updated if the window is opened New log lines will be
13. s on OS X is Console app Console app is an OS X default application located in Applications Utility directory It is capable of displaying and searching all OS X system log files including the PF log file If you want to automatically display the PF log file when opening Console app then you should open it from Murus Logs Visualizer Console app is capable of displaying logs from archived log file as well expanding your searching abilities And most importantly it is capable of m ac mns Nov 28 08 37 12 MacPro local te 00 00 00 000078 rule 8 match ock out on autoupdating the log view in 192 168 2 1 1900 UDP length 133 Nov 28 88 37 12 MacPro loc v RE s 00 00 00 000066 rule 8 match 192 168 2 1 5351 UDP len s 1 12 order to display realtime logs Te nm ero Iet LRA ae en ov 28 00 38 41 MacPro local pf 00 u n en 222 186 56 69 6000 gt o en 192 168 2 2 54852 gt r o k ock out on eng 192 168 2 2 57675 gt k B 222 186 56 69 6000 gt k z N w p G gt e ez BE in UZ gt N gt G 4 r o e rt Cr r 38 a 192 168 2 2 2277 Flags S seq 683409408 win 16384 ge To activate this featu re click the Nov 28 00 41 42 MacPro local pf 314 00 03 01 267712 rule i gt 192 168 2 255 137 NBT UDP PACKET 137 QUERY REQUEST BROADCAST Nov 28 08 41 42 M Bere local pf 314 0 00 00 000179 i n a ru 1 rig
Download Pdf Manuals
Related Search