Once the map is graphically defined, we have to associate some properties to these network items we have just created. We do so by using the file netdef.txt. This files contains a list of entries defining our network items, each record being the item label along with 5 fields, one per line, with one blank line between each record. The first line of the record is the label of the item itself, as defined in the file map.txt. The next field are the IP address, the host name, a short label for identifying this item on the screen, a short description (for your use only to identify the role of the machine/subnet, not taken into account by the program), and the associated icon for this item. This is another one of the flexibility aspect that LogIDS offers; you can use the icons provided for some category of items, or make your own, and even create some for network items I may not have thought of. If you create icons that you think are pretty decent, send them to me, I'll put them on the website for others to use. These icons have to be 40 X 40 pixels bitmaps, and to be located in the \bmp folder in the LogIDS tree. Note that all these fields are not mandatory, but at least IP or host name is required to be able to link these network items with the logs that comes from them (make sure this data is present in your logs, use LogAgent if not sure/not able to provide this data). For defining subnets, you can put a * to the byte you want to include (for example, 10.0.0.*, or 10.0.*.* for one ip byte deeper). I know this is a bit rude and not in regulation of standard representation, but I wanted to make a quick an easy way to code subnets. If you want to contribute on this part, send me the code and I'll look at it. For the fictious example network we have defined in the previous chapter, we could use a netdef.txt file pretty much like this one:
FRWLL
IP=10.0.0.3
HOST=fw1
LABEL=Firewall
DESC=Company's main firewall
ICON=firewall.bmp
DMZ1a
IP=123.123.123.*
HOST=
LABEL=DMZ
DESC=Demilitarized zone for exposed, external servers
ICON=lan.bmp
DNS1a
IP=123.123.123.2
HOST=darkside
LABEL=DNS
DESC=External DNS server
ICON=server.bmp
WEBAa
IP=123.123.123.1
HOST=w_w_w
LABEL=WWW
DESC=External Web server
ICON=server.bmp
IDS1a
IP=123.123.123.254
HOST=sensor1
LABEL=DMZ IDS
DESC=DMZ IDS sensor
ICON=ids.bmp
IDS2a
IP=10.0.0.2
HOST=sensor2
LABEL=Internal IDS
DESC=Internal IDS sensor
ICON=ids.bmp
MAILa
IP=123.123.123.5
HOST=smtp
LABEL=Mail server
DESC=External mail server, located in the DMZ
ICON=server.bmp
PDC1a
IP=10.0.1.100
HOST=company_pdc
LABEL=PDC
DESC=PDC for the company's main Windows NT network
ICON=server.bmp
BDC1a
IP=10.0.1.101
HOST=company_bdc
LABEL=BDC
DESC=BDC for the company's main Windows NT network
ICON=server.bmp
FIL1a
IP=
HOST=orion
LABEL=Orion
DESC=Orion, file&print server
ICON=server.bmp
INTRa
IP=10.0.1.103
HOST=intranet
LABEL=Intranet
DESC=Company's intranet server
ICON=server.bmp
LAN1a
IP=10.0.0.*
HOST=
LABEL=10.0.0.*
DESC=Subnet 10.0.0.* (Marketing, second floor)
ICON=lan.bmp
LAN2a
IP=10.0.1.*
HOST=
LABEL= 10.0.1.*
DESC=Subnet 10.0.1.* (Accounting, first floor)
ICON=lan.bmp
ADMCa
IP=10.0.0.10
HOST=ch45lk
LABEL=Admin Console
DESC=Network Administrator's desktop
ICON=desktop.bmp
Now that we have defined the properties of the network hosts and subnets that we want to monitor and have it displayed on the screen, let's go to the next step: defining our log files filters.
4. Defining your network map
6. Defining your log files filters