Items What is it? How does it work? News Authors Supported systems Download Documentation Bugs TODO (future developments) Mailing-lists CVS License Credits Related stuff

What is it? Wflogs is a firewall log analysis tool. It can be used to produce a log summary report in plain text, HTML and XML, or to monitor firewalling logs in real-time. It is part of the WallFire project, but can be used independently. See WallFire homepage. Wflogs is "libre" (free as a speech, in English) software. It is mainly written in C++ and is intended to run on every *nix system.   How does it work? Concepts Wflogs is modular. It relies on a library (libwflogs) which deals with input and output modules (static or shared). input modules: netfilter, ipchains, ipfilter, cisco_pix, cisco_ios, snort. output modules: summary: text, html, xml, human. translation: netfilter, ipchains, ipfilter. Usage examples wflogs -i netfilter -o html netfilter.log > logs.html converts the given netfilter log file into a HTML report. wflogs --sort=protocol,-time -i netfilter -o text netfilter.log > logs.txt converts the given netfilter log file into a sorted (by protocol number, then reverse time) text report. wflogs -f '$start_time >= [this 3 days ago] && $start_time < [this 2 days ago] && $chainlabel =~ /(DROP|REJECT)/ && $sipaddr == 10.0.0.0/8 && $protocol == tcp && ($dport == ssh || $dport == telnet) && ($tcpflags & SYN)' -i netfilter -o text --summary=no shows log entries (without summary) which match the given expression (refused connection attempts that occured 3 days ago to ssh and telnet ports coming from internal network 10.0.0.0/8). wflogs -i netfilter -o text --resolve=0 --whois=0 netfilter.log converts the given netfilter log file into a text report (default mode), disabling IP address reverse lookups and whois lookups. wflogs -i netfilter -o xml netfilter.log > logs.xml exports netfilter logs in XML. wflogs -i ipchains -o netfilter ipchains.log > netfilter.log converts ipchains logs into netfilter log format. So you may process them with your favorite netfilter log analyser, for example (even if the latter may not be better than wflogs itself. ;-)). wflogs -i ipfilter -o human --datalen=yes ipfilter.log produces a report about ipfilter logfile in natural language on stdout, displaying packet length (datalen option) which is not showed by default. wflogs -R -I monitors logs in real-time in an interactive shell, waiting for logs in the default system logfile, in guessed format (according to the local firewalling tool). A somewhat subjective comparison between wflogs and fwlogwatch. wflogs XML dtd. Screenshots: wflogs HTML report example.   News Sep 6 2004: Hervé Eychenne was invited to the 3rd Netfilter Workshop, which took place in Erlangen (Germany), just before Linux Kongress. Here is the summary of the Workshop. May 24 2004: release of wfnetobjs-0.2.2 and wflogs-0.9.8 Jan 8 2004: release of wflogs-0.9.7 Oct 30 2003: release of wfnetobjs-0.1.8 and wflogs-0.9.6 Aug 18 2003: Hervé Eychenne was invited to the Netfilter workshop 2003, which took place in Budapest. I made a talk about the WallFire project, and about my wishlist for Netfilter, especially from the WallFire point of view. Here are the slides in MagicPoint format, or in HTML. Here is the summary page of the Workshop. Apr 7 2003: release of wflogs-0.9.5 Feb 17 2003: wflogs, libwfnetobjs0 and libwfnetobjs0-dev packages are now available in Debian sid (unstable). Debian woody (stable) i386 binary packages are also available (via an apt repository) on  http://people.debian.org/~kelbert/ (see download section). Many thanks to Jean-Michel Kelbert, the wallfire Debian packager. Jan 30 2003: release of wfnetobjs-0.1.7 and wflogs-0.9.4 Oct 30 2002: release of wfnetobjs-0.1.6, wfconvert-0.2.0, and wflogs-0.9.3 Sep 26 2002: the netobjs library was taken out of wfconvert, and became a separate source tree, used by wfconvert and wflogs. Release of wfnetobjs-0.1.5, wfconvert-0.1.5, and wflogs-0.9.2 Aug 21 2002: release of wfconvert-0.1.4 and wflogs-0.9.1 Aug 17 2002: release of wflogs-0.9.0, with a Debian package by Guillaume Morin. Jul 29 2002: release of wfconvert-0.1.3 and wflogs-0.0.5 Jul 12 2002: I'm doing a talk about WallFire, as part of the  security topic at the  Libre Software Meeting. Here are the slides in MagicPoint format, or in HTML. Jun 20 2002: release of wflogs-0.0.4 May 30 2002: release of wfconvert-0.1.2 and wflogs-0.0.3 May 3 2002: public release of wfconvert-0.1.1 and wflogs-0.0.2 Apr 5 2002: I was hired by KDX Ingenierie, spending half of my job time on WallFire development. See credits section.   Authors Author: Hervé Eychenne <rv _AT_ wallfire.org> Please avoid using this address. Use the different mailing-lists instead. Debian package maintainer: Jean-Michel Kelbert <kelbert _AT_ debian.org>.   Supported systems WallFire is intended to work on real systems such as Unix, especially Linux and *BSD. Current wflogs input modules are: netfilter (Linux 2.4 and 2.6 firewall logs) ipchains (Linux 2.2 firewall logs) ipfilter (NetBSD, FreeBSD, OpenBSD, Solaris, SunOS 4, IRIX and HP-UX running ipfilter firewall logs). cisco_pix (Cisco PIX filter logs) cisco_ios (Cisco IOS filter logs) snort (Snort ACLs logs) Please note that input modules are available on any architecture on which wflogs can run (for example, you can perfectly parse Cisco PIX logs on a Linux box).   Download Wflogs, as well as WallFire, is released under the GNU GPL (see license section). Please note that you need wfnetobjs to compile wflogs. Both source trees must be untarred from the same directory, and you'll have to rename wfnetobjs-version to wfnetobjs, or create a symbolic link. There is also a configure option. It is strongly recommended to use wflogs with libadns (an asynchronous DNS resolution library), which speeds up things greatly on large log files. You may also consider using wflogs with the readline library, useful in interactive mode. Debian packages: wflogs package (which depends on libwfnetobjs0) is now available in Debian sid (unstable) i386 binary packages are also available for Debian woody (stable) (via an apt repository). All you have to do is add deb http://people.debian.org/~kelbert/ stable main to your /etc/apt/sources.list file. Then run apt-get update && apt-get install wflogs, for example. Note: Debian binary packages made for woody should also work on sid, but you'd better use standard sid packages available through your usual Debian apt mirror. Upstream files: May 24, 2004: wflogs version 0.9.8: ChangeLog Gzipped source code: wflogs-0.9.8.tar.gz [731 Kb] [HTTP] md5sum: cee2ac33ca3c284f9253b492f793624c Bzipped source code: wflogs-0.9.8.tar.bz2 [493 Kb] [HTTP] md5sum: 5e9c345113d986beeab243bed4ec94b5 Jan 8, 2004: wflogs version 0.9.7: ChangeLog Gzipped source code: wflogs-0.9.7.tar.gz [661 Kb] [HTTP] md5sum: 3b7059ee0fd9562d28c3463eb3c192a3 Bzipped source code: wflogs-0.9.7.tar.bz2 [433 Kb] [HTTP] md5sum: 0c04ae1dc61d349e14d5ea327ce3dd6e Oct 30, 2003: wflogs version 0.9.6: ChangeLog Gzipped source code: wflogs-0.9.6.tar.gz [658 Kb] [HTTP] md5sum: 1be385be8a1eea317cf0ef95a483ced4 Bzipped source code: wflogs-0.9.6.tar.bz2 [432 Kb] [HTTP] md5sum: 37829dac1a34e6a583cd2e6c815b3f6e   Documentation The FAQ: none. Wflogs is completely self explanatory. Well... the real reason is that people never ask me the same questions twice... ;-) The HOWTO: not available. Man page: wflogs(8). Info pages: I do not like info very much, so... not yet. ;-)   Bugs Known bugs: Bugs? What's this? ;-) Bug reports Submit a patch   TODO (future developments) The developer wflogs TODO.   Mailing-lists Please see WallFire mailing-lists.   CVS Anonymous CVS access: How to check out source anonymously through pserver: Type the following: $ cvs -d:pserver:anonymous@cvs.wallfire.org:/cvsroot/wallfire/ login and just press Enter, as there is no password for anonymous login. Then, to retrieve the module you want, type: $ cvs -d:pserver:anonymous@cvs.wallfire.org:/cvsroot/wallfire/ co wflogs Then, in the wflogs directory, type: $ ./autogen.sh After initial checkout, you can go into this directory and execute cvs commands without the -d tag. For example: $ cvs update If you want to receive real-time notification of checkins in the CVS tree, you may subscribe to the wallfire-checkins@lists.wallfire.org mailing-list. See http://wwwlists.wallfire.org/mailman/listinfo/wallfire-checkins/ Daily snapshot of the whole CVS tree. CVS source code browser. Please be aware that there may be a little delay (depending on SourceForge servers) between the last changes and their availability through anonymous access. Developer CVS access (via SSH) for coreteam members: none yet.   License This program is "libre" software, which means free as a free speech, not free beer! (which doesn't imply I don't enjoy a free beer occasionally ;-) It is released under the terms of the GNU General Public License (GPL).   Credits I started developing WallFire in year 2001 as a personal project. I'd like to thank KDX Ingenierie for having sponsored me betweek 2002 and 2004. I did some stuff for Netfilter in its early stages, in the spring of 1999. I would like to thank Netfilter initial author Paul "Rusty" Russell for his competence, his kindness and uncomparable sense of humor.   Related stuff Netfilter/iptables: the powerful firewalling framework for Linux 2.4 and 2.6. IPFilter: the excellent packet filter issued from *BSD systems (well... even if there has been some licensing problems recently). Ipchains: the firewalling tool of Linux 2.2.

Note: this page is generated by a template. Be aware of this before submitting patches containing formatting information against this page.