fwlogwatch is a packet filter / firewall / IDS log analyzer written by Boris Wesslowski originally for RUS-CERT.
fwlogwatch supports a lot of log formats and has many analysis options. It also features incident report and realtime response capabilities, an interactive web interface and internationalization.
Here are some key features of "fwlogwatch":
Can detect and process log entries in the following formats:
· Linux ipchains
· Linux netfilter/iptables
· Solaris/BSD/Irix/HP-UX ipfilter
· BSD ipfw
· Cisco IOS
· Cisco PIX / FWSM
· Windows XP firewall
· Elsa Lancom router
· Snort IDS
· Entries can be parsed from single, multiple and combined log files, the parsers to be used can be selected.
· Gzip-compressed logs are supported transparently.
· Can separate recent from old entries and detects timewarps in log files.
· Can recognize 'last message repeated' entries concerning the firewall.
· Integrated resolver for protocols, services and host names.
· Can do lookups in the whois database.
· Own DNS and whois information cache and GNU adns support for faster lookups.
· Hosts, networks, ports, chains and branches (targets) can be selected or excluded as needed.
· Support for internationalization (available in english, german, portuguese, simplified and traditional chinese, swedish and japanese).
Log summary mode:
· A lot of options to find and display relevant patterns in connection attempts.
· Intelligent selection of certain fields (e.g. the host name column is omitted and the host mentioned in the header of the summary if the log is from a single host, the same happens with chains, targets and interfaces).
· Output as plain text or HTML (W3C XHTML 1.1 with inline or linked CSS level 2) with limit and sort options.
· Can send summaries by email.
· The integrated report generator fills in and presents a report that can be sent to abuse contacts of attacking sites or computer emergency response teams (CERTs).
· Supports templates and incident number generation.
· All fields can be adjusted as needed interactively.
Realtime response mode:
· The program detaches and stays in background as a daemon.
· For ipchains setups detection of necessary rules with logging turned on can be configured.
· Can catch up reading existing entries to provide up-to-date state information from program start on.
· Response can be a notification (in form of a log file entry, an email, a remote winpopup message or whatever you can put into a shell script), or a customizable firewall modification.
· The included response script adds a new chain for fwlogwatch to ipchains or netfilter setups and attackers are blocked with new firewall rules.
· Supports trusted hosts (anti-spoofing).
· The current status of the program can be followed and controlled through a web interface (supports IPv6).
What's New in This Release: [ read full changelog ]
· This version adds IPv6 support for netfilter, dns cache initialization, and ASA parser extensions.