fwlogwatch
Description
fwlogwatch is a packet filter / firewall / IDS log analyzer written by Boris Wesslowski originally for RUS-CERT. It supports a lot of log formats and has many analysis options. It also features incident report and realtime response capabilities and an interactive web interface.
Features
- General features:
- Can detect and process log entries in the following formats:
- Linux ipchains
- Linux netfilter/iptables
- Solaris/BSD/IRIX/HP-UX ipfilter
- BSD ipfw
- Cisco IOS
- Cisco PIX/FWSM/ASA
- NetScreen
- Elsa Lancom router
- Snort IDS
- Entries can be parsed from single, multiple and combined log files, the parsers to be used can be selected.
- Gzip-compressed logs are supported transparently.
- Can separate recent from old entries and detects timewarps in log files.
- Can recognize 'last message repeated' entries concerning the firewall.
- Integrated resolver for protocols, services and host names.
- Can do lookups in the GeoIP and whois databases.
- Own DNS and whois information cache and GNU adns support for faster lookups.
- Hosts, networks, ports, chains and branches (targets) can be selected or excluded as needed.
- Support for internationalization (available in english, german, portuguese, simplified and traditional chinese, swedish and japanese).
- Supports IPv6 (currently only the netfilter parser, dns cache and web inerface make use of it).
- Can detect and process log entries in the following formats:
- Log summary mode:
- A lot of options to find and display relevant patterns in connection attempts.
- Intelligent selection of certain fields (e.g. the host name column is omitted and the host mentioned in the header of the summary if the log is from a single host, the same happens with chains, targets and interfaces).
- Output as plain text or HTML (W3C XHTML 1.1 with inline or linked CSS) with limit and sort options.
- Can send summaries by email.
- Realtime response mode:
- The program detaches and stays in background as a daemon.
- For ipchains setups detection of necessary rules with logging turned on can be configured.
- Can catch up reading existing entries to provide up-to-date state information from program start on.
- Response can be a notification (in form of a log file entry, an email, a remote winpopup message or whatever you can put into a shell script), or a customizable firewall modification.
- The included response script adds a new chain for fwlogwatch to ipchains or netfilter setups and attackers are blocked with new firewall rules.
- Supports trusted hosts (anti-spoofing).
- The current status of the program can be followed and controlled through a web interface.
The commented configuration file supports and explains all options and will get you started quickly. For further information please read the README file. Scripts like a PIX name extractor, init scripts for the realtime response mode and a simple PHP web frontend are included.
fwlogwatch is open source software under the GNU General Public License (GPL). It is written in C and known to run at least on Linux, Mac OS X, Solaris, FreeBSD, OpenBSD and (through Cygwin or MinGW) on Windows 95 to 10.
Download
The latest version is 1.5 2016-02-19
- Source
- fwlogwatch-1.5.tar.gz, 135 kB, GPG Signature
- fwlogwatch-1.5.tar.bz2, 94 kB
- Source RPM, 138 kB
- Binaries
Other resources
An inter-release CVS is available at the fwlogwatch project page at SourceForge.
Feedback & contributions
fwlogwatch may complain about malformed entries or unrecognized tokens, why this happens and how you can help is explained on the unrecognized entry submission page.
If you would like to see fwlogwatch in your language, wrote your own response script, think you can enhance the documentation, have code or an idea to improve fwlogwatch or just want to add a reference and tell what you do with fwlogwatch get in contact with the author at bw <at> inside-security <dot> de...
Copyright © 2000-2023 Boris Wesslowski