[Hatchet-users] Hatchet displaying empty results

William MacKay foobaz at gmail.com
Mon Jul 18 22:55:29 EDT 2005 

Oh, i'd forgotten about the patch. That sure would explain his  
problem. The patch didn't work for me either, but i figured i just  
didn't know how to apply it, so i did it manually with a text editor,  
and my copy of hatchet works great. Here's a "diff -c", is that the  
proper way to make a patch?

*** hatchet-0.8/bin/hatchet    Thu May 12 21:38:22 2005
--- hatchet-0.8/bin/hatchet   Sun Jun 19 17:48:41 2005
***************
*** 146,152 ****
--- 146,162 ----
               my $input = $_;
               my ($date, $points, $rulenum, $action, $interface,  
$src_host, $src_port, $dst_host, $dst_port, $remainder);
               SWITCH: {
+                 if ($input =~ /(\w+ \d+ \d+:.\d:.\d+)\.(\d+) rule  
(\d+)\/\(match\) (\w+ \w+) \w+ (\w+)\: (\d+\.\d+\.\d+\.\d+)\.(\d+) >  
(\d+\.\d+\.\d+\.\d+)\.(\d+)\:(.*)/)
+                     {
+                         ($date, $points, $rulenum, $action,  
$interface, $src_host, $src_port, $dst_host, $dst_port, $remainder) =  
($1, $2, $3, $4, $5, $6, $7, $8, $9, $10);
+                         last SWITCH;
+                     }
                   if ($input =~ /(\w+ \d+ \d+:.\d:.\d+)\.(\d+) rule  
(\d+)\/\d+\(match\)\: (\w+ \w+) \w+ (\w+)\: (\d+\.\d+\.\d+\.\d+)\.(\d 
+) > (\d+\.\d+\.\d+\.\d+)\.(\d+)\:(.*)/)
+                     {
+                         ($date, $points, $rulenum, $action,  
$interface, $src_host, $src_port, $dst_host, $dst_port, $remainder) =  
($1, $2, $3, $4, $5, $6, $7, $8, $9, $10);
+                         last SWITCH;
+                     }
+                 if ($input =~ /(\w+ \d+ \d+:.\d:.\d+)\.(\d+) rule  
(\d+)\/\(match\)\: (\w+ \w+) \w+ (\w+)\: ([a-f0-9\:]+)\.(\d+) > ([a- 
f0-9\:]+)\.(\d+)\:(.*)/)
                       {
                           ($date, $points, $rulenum, $action,  
$interface, $src_host, $src_port, $dst_host, $dst_port, $remainder) =  
($1, $2, $3, $4, $5, $6, $7, $8, $9, $10);
                           last SWITCH;

If this doesn't work, i could send you my working copy of /usr/local/ 
bin/hatchet as an attachment.

On Jul 18, 2005, at 10:23 PM, Jason Dixon wrote:

> Sorry folks, it appears there are some issues with 0.8 that cause  
> it to not store parsed entries in the database.  There are a couple  
> of patches (http://www.dixongroup.net/hatchet/#news), but I believe  
> I hosed one or both of them.  I've been distracted with a number of  
> other projects and haven't had the time to dedicate to Hatchet.  If  
> anyone that has it working can step up with a set of working  
> patches against 0.8 (or has the time to figure out why mine are  
> broken), I'd certainly appreciate it.
>
> Thanks,
> Jason
>
> On Jul 18, 2005, at 10:06 PM, William MacKay wrote:
>
>
>> Try running hatchet and hatchart from a command line and see if  
>> they print any error messages. You'll need to sudo them.
>>
>> The traffic graphs use pfstat, which is a completely different  
>> chain of data than the firewall log. Do the activity charts work?  
>> I believe those use the pflog data, like the firewall log does.
>>
>> On Jul 18, 2005, at 4:08 PM, Edouard Alligand wrote:
>>
>>
>>
>>> I just installed hatchet on my 3.7 obsd box, in my chrooted  
>>> apache. The traffic graphs work but I have an empty firewall log  
>>> displayed whereas if I type "tcpdump -n -e -ttt -r /var/log/ 
>>> pflog" it's not empty at all...
>>>
>>> I have followed the README.chroot steps and verified that the  
>>> path to the database is correct.
>>>
>>>
>> _______________________________________________
>> Hatchet-users mailing list
>> Hatchet-users at dixongroup.net
>> http://www.dixongroup.net/mailman/listinfo/hatchet-users
>>
>>
>
>
> --
> Jason Dixon
> DixonGroup Consulting
> http://www.dixongroup.net
>
>
>
>

More information about the Hatchet-users mailing list