Wflogs 0.9.8

Wflogs is a firewall log analysis tool.

  Add it to your Download Basket!

 Add it to your Watch List!


Rate it!
send us
an update
GPL (GNU General Public License) 
Hervé Eychenne
ROOT \ Internet \ Log Analyzers
Wflogs is a firewall log analysis tool. It can be used to produce a log summary report in plain text, HTML and XML, or to monitor firewalling logs in real-time.

This project is part of the WallFire project, but can be used independently.

Usage examples:

wflogs -i netfilter -o html netfilter.log > logs.html

converts the given netfilter log file into a HTML report.

wflogs --sort=protocol,-time -i netfilter -o text netfilter.log > logs.txt

converts the given netfilter log file into a sorted (by protocol number, then reverse time) text report.

wflogs -f '$start_time >= [this 3 days ago] && $start_time < [this 2 days ago] && $chainlabel =~ /(DROP|REJECT)/ && $sipaddr == && $protocol == tcp && ($dport == ssh || $dport == telnet) && ($tcpflags & SYN)' -i netfilter -o text --summary=no

shows log entries (without summary) which match the given expression (refused connection attempts that occured 3 days ago to ssh and telnet ports coming from internal network

wflogs -i netfilter -o text --resolve=0 --whois=0 netfilter.log

converts the given netfilter log file into a text report (default mode), disabling IP address reverse lookups and whois lookups.

wflogs -i netfilter -o xml netfilter.log > logs.xml

exports netfilter logs in XML.

wflogs -i ipchains -o netfilter ipchains.log > netfilter.log

converts ipchains logs into netfilter log format. So you may process them with your favorite netfilter log analyser, for example (even if the latter may not be better than wflogs itself.

wflogs -i ipfilter -o human --datalen=yes ipfilter.log
produces a report about ipfilter logfile in natural language on stdout, displaying packet length (datalen option) which is not showed by default.

wflogs -R -I

monitors logs in real-time in an interactive shell, waiting for logs in the default system logfile, in guessed format (according to the local firewalling tool).

Supported systems

WallFire is intended to work on real systems such as Unix, especially Linux and *BSD.

Current wflogs input modules are:

· netfilter (Linux 2.4 and 2.6 firewall logs)
· ipchains (Linux 2.2 firewall logs)
· ipfilter (NetBSD, FreeBSD, OpenBSD, Solaris, SunOS 4, IRIX and HP-UX running ipfilter firewall logs).
· cisco_pix (Cisco PIX filter logs)
· cisco_ios (Cisco IOS filter logs)
· snort (Snort ACLs logs)

Please note that input modules are available on any architecture on which wflogs can run (for example, you can perfectly parse Cisco PIX logs on a Linux box).

What's New in This Release:

· Improved matching of netfilter and ipfilter input modules.
· Added support for Cisco FWSM (PIX).
· Improved netfilter parsing.
· Compilation fixes for *BSD.
· Added wflogs.dtd.
· Added wfchkintegrity tool, which enables to monitor changes in the firewalling configuration.
· Fixed buffer sizes for some input modules.
· Fixed parsing with recent flex versions.

Last updated on February 14th, 2007

#firewall log analysis #log analysis #firewall analysis #Wflogs #firewall #log #analysis

Add your review!