Wflogs is a firewall log analysis tool.
It can be used to produce a log summary report in plain text, HTML
and XML, or to monitor firewalling logs in real-time.
It is part of the WallFire project, but can be used independently.
See WallFire homepage.
Wflogs is "libre" (free as a speech, in English) software.
It is mainly written in C++ and is intended to run on every *nix system.
Wflogs is modular. It relies on a library (libwflogs) which deals with
input and output modules (static or shared).
- input modules: netfilter, ipchains, ipfilter,
cisco_pix, cisco_ios, snort.
- output modules:
- summary: text, html, xml, human.
- translation: netfilter, ipchains, ipfilter.
- Usage examples
wflogs -i netfilter -o html netfilter.log > logs.html
converts the given netfilter log file into a HTML report.
wflogs --sort=protocol,-time -i netfilter -o text netfilter.log > logs.txt
converts the given netfilter log file into a sorted (by protocol number,
then reverse time) text report.
wflogs -f '$start_time >= [this 3 days ago] && $start_time < [this 2 days ago] && $chainlabel =~ /(DROP|REJECT)/ && $sipaddr == 10.0.0.0/8 && $protocol == tcp && ($dport == ssh || $dport == telnet) && ($tcpflags & SYN)' -i netfilter -o text --summary=no
shows log entries (without summary) which match the given expression
(refused connection attempts that occured 3 days ago to ssh and telnet
ports coming from internal network 10.0.0.0/8).
wflogs -i netfilter -o text --resolve=0 --whois=0 netfilter.log
converts the given netfilter log file into a text report (default mode),
disabling IP address reverse lookups and whois lookups.
wflogs -i netfilter -o xml netfilter.log > logs.xml
exports netfilter logs in XML.
wflogs -i ipchains -o netfilter ipchains.log > netfilter.log
converts ipchains logs into netfilter log format. So you may process them
with your favorite netfilter log analyser, for example (even if the latter
may not be better than wflogs itself. ;-)).
wflogs -i ipfilter -o human --datalen=yes ipfilter.log
produces a report about ipfilter logfile in natural language on stdout,
displaying packet length (datalen option) which is not showed by default.
wflogs -R -I
monitors logs in real-time in an interactive shell, waiting for logs in the
default system logfile, in guessed format (according to the local
- A somewhat subjective comparison
between wflogs and fwlogwatch.
- wflogs XML dtd.
- Screenshots: wflogs HTML report example.
- Sep 6 2004: Hervé Eychenne was invited to the 3rd Netfilter Workshop, which took place in Erlangen (Germany), just before Linux Kongress.
Here is the summary of the Workshop.
- May 24 2004: release of wfnetobjs-0.2.2 and wflogs-0.9.8
- Jan 8 2004: release of wflogs-0.9.7
- Oct 30 2003: release of wfnetobjs-0.1.8 and wflogs-0.9.6
- Aug 18 2003: Hervé Eychenne was invited to the Netfilter workshop 2003, which took place in Budapest. I made a talk about the WallFire project, and about my wishlist for Netfilter, especially from the WallFire point of view. Here are the slides in MagicPoint format, or in HTML.
Here is the summary page of the Workshop.
- Apr 7 2003: release of wflogs-0.9.5
- Feb 17 2003: wflogs, libwfnetobjs0 and libwfnetobjs0-dev packages are now available in Debian sid (unstable). Debian woody (stable) i386 binary packages are also available (via an apt repository) on http://people.debian.org/~kelbert/ (see download section). Many thanks to Jean-Michel Kelbert, the wallfire Debian packager.
- Jan 30 2003: release of wfnetobjs-0.1.7 and wflogs-0.9.4
- Oct 30 2002: release of wfnetobjs-0.1.6, wfconvert-0.2.0, and wflogs-0.9.3
- Sep 26 2002: the netobjs library was taken out of wfconvert, and became a separate source tree, used by wfconvert and wflogs. Release of wfnetobjs-0.1.5, wfconvert-0.1.5, and wflogs-0.9.2
- Aug 21 2002: release of wfconvert-0.1.4 and wflogs-0.9.1
- Aug 17 2002: release of wflogs-0.9.0, with a Debian package by Guillaume Morin.
- Jul 29 2002: release of wfconvert-0.1.3 and wflogs-0.0.5
- Jul 12 2002: I'm doing a talk about WallFire, as part of the security topic at the Libre Software Meeting.
Here are the slides in MagicPoint format, or in HTML.
- Jun 20 2002: release of wflogs-0.0.4
- May 30 2002: release of wfconvert-0.1.2 and wflogs-0.0.3
- May 3 2002: public release of wfconvert-0.1.1 and wflogs-0.0.2
- Apr 5 2002: I was hired by KDX Ingenierie, spending half of my job time on WallFire development. See credits section.
WallFire is intended to work on real systems such as Unix, especially Linux
Current wflogs input modules are:
Please note that input modules are available on any architecture on which
wflogs can run (for example, you can perfectly parse Cisco PIX logs on
a Linux box).
- netfilter (Linux 2.4 and 2.6 firewall logs)
- ipchains (Linux 2.2 firewall logs)
- ipfilter (NetBSD, FreeBSD, OpenBSD, Solaris,
SunOS 4, IRIX and HP-UX running ipfilter firewall logs).
- cisco_pix (Cisco PIX filter logs)
- cisco_ios (Cisco IOS filter logs)
- snort (Snort ACLs logs)
Wflogs, as well as WallFire, is released under the GNU GPL (see
Please note that you need wfnetobjs to
compile wflogs. Both source trees must be untarred from the same directory,
and you'll have to rename wfnetobjs-version to wfnetobjs, or create a
symbolic link. There is also a configure option.
It is strongly recommended to use wflogs with
(an asynchronous DNS resolution library), which speeds up things greatly
on large log files.
You may also consider using wflogs with the readline library, useful
in interactive mode.
- May 24, 2004: wflogs version 0.9.8: ChangeLog
- Gzipped source code: wflogs-0.9.8.tar.gz [731 Kb]
- Bzipped source code: wflogs-0.9.8.tar.bz2 [493 Kb]
- Jan 8, 2004: wflogs version 0.9.7: ChangeLog
- Gzipped source code: wflogs-0.9.7.tar.gz [661 Kb]
- Bzipped source code: wflogs-0.9.7.tar.bz2 [433 Kb]
- Oct 30, 2003: wflogs version 0.9.6: ChangeLog
- Gzipped source code: wflogs-0.9.6.tar.gz [658 Kb]
- Bzipped source code: wflogs-0.9.6.tar.bz2 [432 Kb]
- The FAQ: none. Wflogs is completely self explanatory. Well... the
real reason is that people never ask me the same questions twice... ;-)
- The HOWTO: not available.
- Man page: wflogs(8).
- Info pages: I do not like info very much, so... not yet. ;-)
This program is "libre" software, which means free as a free speech,
not free beer! (which doesn't imply I don't enjoy a free beer
It is released under the terms of the GNU
General Public License
I started developing WallFire in year 2001 as a personal project.
I'd like to thank KDX Ingenierie for having sponsored me betweek 2002
I did some stuff for Netfilter in its early stages, in the spring of 1999.
I would like to thank Netfilter initial author Paul "Rusty" Russell
for his competence, his kindness and uncomparable sense of humor.
- Netfilter/iptables: the
powerful firewalling framework for Linux 2.4 and 2.6.
- IPFilter: the excellent
packet filter issued from *BSD systems (well... even if there has been
some licensing problems recently).
- Ipchains: the
firewalling tool of Linux 2.2.