fwlogwatch 1.3

fwlogwatch is a packet filter / firewall / IDS log analyzer written by Boris Wesslowski originally for RUS-CERT.
fwlogwatch is a packet filter / firewall / IDS log analyzer written by Boris Wesslowski originally for RUS-CERT.

fwlogwatch supports a lot of log formats and has many analysis options. It also features incident report and realtime response capabilities, an interactive web interface and internationalization.

Main features:

  • Can detect and process log entries in the following formats:
  • Linux ipchains
  • Linux netfilter/iptables
  • Solaris/BSD/Irix/HP-UX ipfilter
  • BSD ipfw
  • Cisco IOS
  • Cisco PIX / FWSM
  • NetScreen
  • Windows XP firewall
  • Elsa Lancom router
  • Snort IDS
  • Entries can be parsed from single, multiple and combined log files, the parsers to be used can be selected.
  • Gzip-compressed logs are supported transparently.
  • Can separate recent from old entries and detects timewarps in log files.
  • Can recognize 'last message repeated' entries concerning the firewall.
  • Integrated resolver for protocols, services and host names.
  • Can do lookups in the whois database.
  • Own DNS and whois information cache and GNU adns support for faster lookups.
  • Hosts, networks, ports, chains and branches (targets) can be selected or excluded as needed.
  • Support for internationalization (available in english, german, portuguese, simplified and traditional chinese, swedish and japanese).
  • Log summary mode:
  • A lot of options to find and display relevant patterns in connection attempts.
  • Intelligent selection of certain fields (e.g. the host name column is omitted and the host mentioned in the header of the summary if the log is from a single host, the same happens with chains, targets and interfaces).
  • Output as plain text or HTML (W3C XHTML 1.1 with inline or linked CSS level 2) with limit and sort options.
  • Can send summaries by email.
  • The integrated report generator fills in and presents a report that can be sent to abuse contacts of attacking sites or computer emergency response teams (CERTs).
  • Supports templates and incident number generation.
  • All fields can be adjusted as needed interactively.
  • Realtime response mode:
  • The program detaches and stays in background as a daemon.
  • For ipchains setups detection of necessary rules with logging turned on can be configured.
  • Can catch up reading existing entries to provide up-to-date state information from program start on.
  • Response can be a notification (in form of a log file entry, an email, a remote winpopup message or whatever you can put into a shell script), or a customizable firewall modification.
  • The included response script adds a new chain for fwlogwatch to ipchains or netfilter setups and attackers are blocked with new firewall rules.
  • Supports trusted hosts (anti-spoofing).
  • The current status of the program can be followed and controlled through a web interface (supports IPv6).

last updated on:
November 15th, 2011, 7:33 GMT
license type:
GPL (GNU General Public License) 
developed by:
Boris Wesslowski
ROOT \ System \ Networking
Download Button

In a hurry? Add it to your Download Basket!

user rating



Rate it!
What's New in This Release:
  • This version adds IPv6 support for netfilter, dns cache initialization, and ASA parser extensions.
read full changelog

Add your review!