WallFire: wflogs

Items

What is it?

How does it work?

News

Authors

Supported systems

Download

Documentation

Bugs

TODO (future developments)

Mailing-lists

CVS

License

Credits

Related stuff

 
What is it?

Wflogs is a firewall log analysis tool. It can be used to produce a log summary report in plain text, HTML and XML, or to monitor firewalling logs in real-time.

It is part of the WallFire project, but can be used independently. See WallFire homepage.

Wflogs is "libre" (free as a speech, in English) software. It is mainly written in C++ and is intended to run on every *nix system.



 
How does it work?

  • Concepts
    Wflogs is modular. It relies on a library (libwflogs) which deals with input and output modules (static or shared).
    • input modules: netfilter, ipchains, ipfilter, cisco_pix, cisco_ios, snort.
    • output modules:
      • summary: text, html, xml, human.
      • translation: netfilter, ipchains, ipfilter.

  • Usage examples
    • wflogs -i netfilter -o html netfilter.log > logs.html
      converts the given netfilter log file into a HTML report.

    • wflogs --sort=protocol,-time -i netfilter -o text netfilter.log > logs.txt
      converts the given netfilter log file into a sorted (by protocol number, then reverse time) text report.

    • wflogs -f '$start_time >= [this 3 days ago] && $start_time < [this 2 days ago] && $chainlabel =~ /(DROP|REJECT)/ && $sipaddr == 10.0.0.0/8 && $protocol == tcp && ($dport == ssh || $dport == telnet) && ($tcpflags & SYN)' -i netfilter -o text --summary=no
      shows log entries (without summary) which match the given expression (refused connection attempts that occured 3 days ago to ssh and telnet ports coming from internal network 10.0.0.0/8).

    • wflogs -i netfilter -o text --resolve=0 --whois=0 netfilter.log
      converts the given netfilter log file into a text report (default mode), disabling IP address reverse lookups and whois lookups.

    • wflogs -i netfilter -o xml netfilter.log > logs.xml
      exports netfilter logs in XML.

    • wflogs -i ipchains -o netfilter ipchains.log > netfilter.log
      converts ipchains logs into netfilter log format. So you may process them with your favorite netfilter log analyser, for example (even if the latter may not be better than wflogs itself. ;-)).

    • wflogs -i ipfilter -o human --datalen=yes ipfilter.log
      produces a report about ipfilter logfile in natural language on stdout, displaying packet length (datalen option) which is not showed by default.

    • wflogs -R -I
      monitors logs in real-time in an interactive shell, waiting for logs in the default system logfile, in guessed format (according to the local firewalling tool).


  • A somewhat subjective comparison between wflogs and fwlogwatch.

  • wflogs XML dtd.

  • Screenshots: wflogs HTML report example.


 
News

  • Sep 6 2004: Hervé Eychenne was invited to the 3rd Netfilter Workshop, which took place in Erlangen (Germany), just before Linux Kongress.
    Here is the summary of the Workshop.
  • May 24 2004: release of wfnetobjs-0.2.2 and wflogs-0.9.8
  • Jan 8 2004: release of wflogs-0.9.7
  • Oct 30 2003: release of wfnetobjs-0.1.8 and wflogs-0.9.6
  • Aug 18 2003: Hervé Eychenne was invited to the Netfilter workshop 2003, which took place in Budapest. I made a talk about the WallFire project, and about my wishlist for Netfilter, especially from the WallFire point of view. Here are the slides in MagicPoint format, or in HTML.
    Here is the summary page of the Workshop.
  • Apr 7 2003: release of wflogs-0.9.5
  • Feb 17 2003: wflogs, libwfnetobjs0 and libwfnetobjs0-dev packages are now available in Debian sid (unstable). Debian woody (stable) i386 binary packages are also available (via an apt repository) on  http://people.debian.org/~kelbert/ (see download section). Many thanks to Jean-Michel Kelbert, the wallfire Debian packager.
  • Jan 30 2003: release of wfnetobjs-0.1.7 and wflogs-0.9.4
  • Oct 30 2002: release of wfnetobjs-0.1.6, wfconvert-0.2.0, and wflogs-0.9.3
  • Sep 26 2002: the netobjs library was taken out of wfconvert, and became a separate source tree, used by wfconvert and wflogs. Release of wfnetobjs-0.1.5, wfconvert-0.1.5, and wflogs-0.9.2
  • Aug 21 2002: release of wfconvert-0.1.4 and wflogs-0.9.1
  • Aug 17 2002: release of wflogs-0.9.0, with a Debian package by Guillaume Morin.
  • Jul 29 2002: release of wfconvert-0.1.3 and wflogs-0.0.5
  • Jul 12 2002: I'm doing a talk about WallFire, as part of the  security topic at the  Libre Software Meeting.
    Here are the slides in MagicPoint format, or in HTML.
  • Jun 20 2002: release of wflogs-0.0.4
  • May 30 2002: release of wfconvert-0.1.2 and wflogs-0.0.3
  • May 3 2002: public release of wfconvert-0.1.1 and wflogs-0.0.2
  • Apr 5 2002: I was hired by KDX Ingenierie, spending half of my job time on WallFire development. See credits section.


 
Authors

  • Author: Hervé Eychenne <rv _AT_ wallfire.org>

    Please avoid using this address. Use the different mailing-lists instead.

  • Debian package maintainer: Jean-Michel Kelbert <kelbert _AT_ debian.org>.


 
Supported systems

WallFire is intended to work on real systems such as Unix, especially Linux and *BSD.

Current wflogs input modules are:

  • netfilter (Linux 2.4 and 2.6 firewall logs)
  • ipchains (Linux 2.2 firewall logs)
  • ipfilter (NetBSD, FreeBSD, OpenBSD, Solaris, SunOS 4, IRIX and HP-UX running ipfilter firewall logs).
  • cisco_pix (Cisco PIX filter logs)
  • cisco_ios (Cisco IOS filter logs)
  • snort (Snort ACLs logs)
Please note that input modules are available on any architecture on which wflogs can run (for example, you can perfectly parse Cisco PIX logs on a Linux box).


 
Download

Wflogs, as well as WallFire, is released under the GNU GPL (see license section).

Please note that you need wfnetobjs to compile wflogs. Both source trees must be untarred from the same directory, and you'll have to rename wfnetobjs-version to wfnetobjs, or create a symbolic link. There is also a configure option.

It is strongly recommended to use wflogs with libadns (an asynchronous DNS resolution library), which speeds up things greatly on large log files.
You may also consider using wflogs with the readline library, useful in interactive mode.

Debian packages:

  • wflogs package (which depends on libwfnetobjs0) is now available in Debian sid (unstable)
  • i386 binary packages are also available for Debian woody (stable) (via an apt repository). All you have to do is add
    deb http://people.debian.org/~kelbert/ stable main
    
    to your /etc/apt/sources.list file.
    Then run apt-get update && apt-get install wflogs, for example.
    Note: Debian binary packages made for woody should also work on sid, but you'd better use standard sid packages available through your usual Debian apt mirror.

Upstream files:

  • May 24, 2004: wflogs version 0.9.8: ChangeLog
    • Gzipped source code: wflogs-0.9.8.tar.gz [731 Kb]
      [HTTP]
      md5sum: cee2ac33ca3c284f9253b492f793624c
    • Bzipped source code: wflogs-0.9.8.tar.bz2 [493 Kb]
      [HTTP]
      md5sum: 5e9c345113d986beeab243bed4ec94b5
  • Jan 8, 2004: wflogs version 0.9.7: ChangeLog
    • Gzipped source code: wflogs-0.9.7.tar.gz [661 Kb]
      [HTTP]
      md5sum: 3b7059ee0fd9562d28c3463eb3c192a3
    • Bzipped source code: wflogs-0.9.7.tar.bz2 [433 Kb]
      [HTTP]
      md5sum: 0c04ae1dc61d349e14d5ea327ce3dd6e
  • Oct 30, 2003: wflogs version 0.9.6: ChangeLog
    • Gzipped source code: wflogs-0.9.6.tar.gz [658 Kb]
      [HTTP]
      md5sum: 1be385be8a1eea317cf0ef95a483ced4
    • Bzipped source code: wflogs-0.9.6.tar.bz2 [432 Kb]
      [HTTP]
      md5sum: 37829dac1a34e6a583cd2e6c815b3f6e


 
Documentation

  • The FAQ: none. Wflogs is completely self explanatory. Well... the real reason is that people never ask me the same questions twice... ;-)
  • The HOWTO: not available.
  • Man page: wflogs(8).
  • Info pages: I do not like info very much, so... not yet. ;-)


 
Bugs



 
TODO (future developments)



 
Mailing-lists

Please see WallFire mailing-lists.


 
CVS

  • Anonymous CVS access:
    • How to check out source anonymously through pserver:
      • Type the following:
        $ cvs -d:pserver:anonymous@cvs.wallfire.org:/cvsroot/wallfire/ login
        and just press Enter, as there is no password for anonymous login.


      • Then, to retrieve the module you want, type:
        $ cvs -d:pserver:anonymous@cvs.wallfire.org:/cvsroot/wallfire/ co wflogs

      • Then, in the wflogs directory, type:
        $ ./autogen.sh

      • After initial checkout, you can go into this directory and execute cvs commands without the -d tag. For example:
        $ cvs update

    • If you want to receive real-time notification of checkins in the CVS tree, you may subscribe to the wallfire-checkins@lists.wallfire.org mailing-list.
      See http://wwwlists.wallfire.org/mailman/listinfo/wallfire-checkins/
    • Daily snapshot of the whole CVS tree.
    • CVS source code browser.


    Please be aware that there may be a little delay (depending on SourceForge servers) between the last changes and their availability through anonymous access.

  • Developer CVS access (via SSH) for coreteam members: none yet.


 
License

This program is "libre" software, which means free as a free speech, not free beer! (which doesn't imply I don't enjoy a free beer occasionally ;-)
It is released under the terms of the GNU General Public License (GPL).


 
Credits

I started developing WallFire in year 2001 as a personal project.
I'd like to thank KDX Ingenierie for having sponsored me betweek 2002 and 2004.

I did some stuff for Netfilter in its early stages, in the spring of 1999. I would like to thank Netfilter initial author Paul "Rusty" Russell for his competence, his kindness and uncomparable sense of humor.



 
Related stuff

  • Netfilter/iptables: the powerful firewalling framework for Linux 2.4 and 2.6.
  • IPFilter: the excellent packet filter issued from *BSD systems (well... even if there has been some licensing problems recently).
  • Ipchains: the firewalling tool of Linux 2.2.


Note: this page is generated by a template. Be aware of this before submitting patches containing formatting information against this page.


Hervé Eychenne, Saturday 26th of November 2005
SourceForge.net Logo