fwlogwatch

Description

fwlogwatch is a packet filter / firewall / IDS log analyzer written by Boris Wesslowski originally for RUS-CERT. It supports a lot of log formats and has many analysis options. It also features incident report and realtime response capabilities, an interactive web interface and internationalization.

Features

• General features:
  • Can detect and process log entries in the following formats:
    • Linux ipchains
    • Linux netfilter/iptables
    • Solaris/BSD/Irix/HP-UX ipfilter
    • BSD ipfw
    • Cisco IOS
    • Cisco PIX / FWSM
    • NetScreen
    • Windows XP firewall
    • Elsa Lancom router
    • Snort IDS
  • Entries can be parsed from single, multiple and combined log files, the parsers to be used can be selected.
  • Gzip-compressed logs are supported transparently.
  • Can separate recent from old entries and detects timewarps in log files.
  • Can recognize 'last message repeated' entries concerning the firewall.
  • Integrated resolver for protocols, services and host names.
  • Can do lookups in the whois database.
  • Own DNS and whois information cache and GNU adns support for faster lookups.
  • Hosts, networks, ports, chains and branches (targets) can be selected or excluded as needed.
  • Support for internationalization (available in english, german, portuguese, simplified and traditional chinese, swedish and japanese).
• Log summary mode:
  • A lot of options to find and display relevant patterns in connection attempts.
  • Intelligent selection of certain fields (e.g. the host name column is omitted and the host mentioned in the header of the summary if the log is from a single host, the same happens with chains, targets and interfaces).
  • Output as plain text or HTML (W3C XHTML 1.1 with inline or linked CSS level 2) with limit and sort options.
  • Can send summaries by email.
• Interactive report mode:
  • The integrated report generator fills in and presents a report that can be sent to abuse contacts of attacking sites or computer emergency response teams (CERTs).
  • Supports templates and incident number generation.
  • All fields can be adjusted as needed interactively.
• Realtime response mode:
  • The program detaches and stays in background as a daemon.
  • For ipchains setups detection of necessary rules with logging turned on can be configured.
  • Can catch up reading existing entries to provide up-to-date state information from program start on.
  • Response can be a notification (in form of a log file entry, an email, a remote winpopup message or whatever you can put into a shell script), or a customizable firewall modification.
  • The included response script adds a new chain for fwlogwatch to ipchains or netfilter setups and attackers are blocked with new firewall rules.
  • Supports trusted hosts (anti-spoofing).
  • The current status of the program can be followed and controlled through a web interface (supports IPv6).

The commented configuration file supports and explains all options and will get you started quickly. Scripts like a Red Hat init script or a PHP web frontend are included.

fwlogwatch is open source software under the GNU General Public License (GPL). It is written in C and known to run at least on Linux, Solaris, FreeBSD, OpenBSD and (through Cygwin) on Windows 95/98/ME/NT/2000/XP.

Download

The latest version is 1.1 2006/04/17

• Source
  • fwlogwatch-1.1.tar.gz, 107 kB (signed with one of my keys)
  • fwlogwatch-1.1.tar.bz2, 90 kB
  • Source RPM, 112 kB
• Binaries
  • i586 RPM built on SuSE 9.2, 137 kB
  • Debian package (unstable distribution)
  • Plain binary tar.gz built on SuSE 9.2, 134 kB

Mailing lists

You might want to subscribe to the fwlogwatch mailing lists:

• fwlogwatch-announce - primarily for announcements of new versions.
• fwlogwatch-users - answers to user questions, discussion about extensions and best practices.

Other resources

An inter-release CVS is available at the fwlogwatch project page at SourceForge and a release overview at the fwlogwatch project page at freshmeat. You can also have a look at the fwlogwatch download site.

Firewall logging setup help is available in the README and here for Windows XP and Elsa Lancom.

Feedback & contributions

fwlogwatch may complain about malformed entries or unrecognized tokens, why this happens and how you can help is explained on the unrecognized entry submission page.

If you would like to see fwlogwatch in your language, wrote your own response script, think you can enhance the documentation, have code or an idea to improve fwlogwatch or just want to add a reference and tell what you do with fwlogwatch get in contact with the author at bw <at> inside-security <dot> de...

© 2000-2008 Boris Wesslowski