Poster of Linux kernelThe best gift for a Linux geek
WFLOGS

WFLOGS

Section: (8) Updated: Apr 29, 2002
Local index Up
 

NAME

wflogs - firewall log analyser of the WallFire project.  

SYNOPSIS

wflogs [options] [logfile]  

DESCRIPTION

wflogs is a firewall log analyser. It can be used to produce a log summary report in plain text, HTML and XML, or even to translate a log file into another firewall log format, for example. Logs can be filtered, summarized, sorted, and obfuscated (in that order), using the following options.
By default, output is not sorted, and may be summarized if the output module has a `summary' option and if this option is set to `yes' (even by default value).
You have to specify a module name that will handle the input (parsing) and another for the output (exportation). See MODULES sections below.
With no logfile, wflogs read /var/log/messages. When logfile is `-', it reads standard input.  

OPTIONS

-c | --config file
wflogs will use given configuration file. If not specified, wflogs will not use any configuration file and will only use command line options.
-f | --filter expression
Print log entries that match the boolean expression. This expression looks very much like a Perl condition, which must be passed as a single, quoted argument. If no expression is given, all log entries will be dumped. Otherwise, only entries for which expression is `true' will be dumped. See the FILTER EXPRESSION section below.
-i | --input-format format[,format2,...]
Specify the input parsing modules. Wflogs will use the corresponding modules (if available) to parse the logs. If you want to parse a log file with multiple formats mixed (typically a remote syslog file), you can specify several format module names separated by commas, one being probed after another. Use special name `all' to try every available format. If you omit the `-i' option, wflogs will try to guess the local firewalling tool at runtime, and use the corresponding module. Use format `help' to know which modules are available (currently, `netfilter', `ipchains', `ipfilter', `cisco_pix', `cisco_ios', and `snort'), and which is the default (guessed) module. See INPUT MODULES section below.
-I, --interactive
Interactive mode. The program will not terminate, but enter a little interactive shell.
This option can be used in conjonction with real-time mode (-R option). While in non-interactive real-time mode (-R only), signal USR1 enables to fall back into interactive mode.
-o | --output-type type [ output module options ]
Specify the output module type. Wflogs will use the corresponding module (if available) to export the input logs to the corresponding target. Use type `help' to know which modules are available (currently, `text', `html', `xml', `human', `netfilter', `ipchains', and `ipfilter'). Default mode is `text'. See OUTPUT MODULES section below.
Output module configuration can be achieved via the command line. You can specify long options (with a `--' prefix). Three types are supported: boolean (yes or no), integer, and string. A special option `--options' displays the available options of the module, with type, help message, and default value. For example, wflogs -o html --options shows the HTML output module configuration.
-O | --obfuscate [criterias]
This option obfuscates some logging fields according to given criterias, separated by commas. These can be `date', `hostname', `ipaddr', or `macaddr' (or `all' for everything). Default (if no criteria is given) is `all'. If ipaddr is specified, output module options `resolve' and `whois_lookup' (if available) are set to no. If macaddr is specified, output module option `mac_vendor' (if available) is set to no.
Date order is conserved, hostnames are replaced by "hostx" (where x is a growing number), ipaddr belong to 0.0.0.0/8 network, macaddr are of the form 0:0:0:0:0:1, 0:0:0:0:0:2, etc. Note that for all obfuscated fields, each original value is associated with a new unique one (unicity is preserved).
-P | --proceed
If real-time (-R) or interactive (-I) modes are set, first process log entries in the input logfile before entering in these modes, as these entries won't be parsed by default in these modes.
-R | --realtime
``Real-time'' mode: logs are monitored in real-time. Wflogs will wait for new log entries. Entries already present in the input logfile will not be processed as usual, unless you specify -P option.
This option can be used in conjonction with interactive mode (-I option). While in non-interactive real-time mode (-R only), signal USR1 enables to fall back into interactive mode.
-s | --sort[=criteria_list]
Set output lines sort order according to the multilevel sort specified by the sequence of keys key1,key2,... Syntax is --sort=[+|-]key1[,[+|-]key2[,...]]. Choose a key from the SORT KEYS section. `-' reverses direction only on the key it precedes. The `+' is really optional since default direction is increasing numerical or lexicographic order. For example wflogs --sort=dport,-time sorts according to destination port number, then reverse time (for a given port number). If one of the keys is `none', the output is not sorted. Use key `help' to show available keys. If no sort criteria is given, output is sorted by with `-count,time,dipaddr,protocol,dport'.
--strict-parsing type
Set the parsing policy. Available types are: `loose' (even if there are garbage in the input file or incorrect log lines, parse as much as possible and issue no warning at all), `nowarning' (in this case, issue no warnings, ignore non-log lines but do not store incoherent entries), `warning' (issue warnings on stderr, ignore non-log lines but do not store bizarre entries), and `error' (stop parsing if line is not a log entry, or if entry is bizarre). Default type is `warning'.
-v | --verbose [level]
Set verbosity level. If level is omitted, default value is 1.
-V | --version
Display current version.
-h | --help
Show help message on stdout.
 

INPUT MODULES

wflogs can use extended input modules, each one parsing a specific firewall log format. See option -i.  

netfilter

This module parse the netfilter log format.  

ipchains

This module parse the ipchains log format.  

ipfilter

This module parse the ipfilter log format.  

cisco_pix

This module parse the cisco PIX and cisco FWSM log format.  

cisco_ios

This module parse the cisco IOS log format.  

snort

This module parse the snort IDS ACLs log format.  

OUTPUT MODULES

wflogs can use extended output modules, which enable to export the input logs to a particular format. So it can be used to rewrite the input into another firewall log format or generate a report, for example. See option -o. Summary mode depends on the module, and is configurable through the `summary' module option.  

text

This module produces a summary in text mode. Please note that this text output is not intended to be parsed. Use XML output module instead.  

html

This module produces a summary output in HTML format.  

xml

This module produces a summary in XML format (see wflogs DTD).  

human

This module produces a summary in text format, in a human readable form. Newcomers may like it. ;-)  

netfilter

This module exports input logs to netfilter log syntax.  

ipchains

This module exports input logs to ipchains log syntax.  

ipfilter

This module exports input logs to ipfilter log syntax.

 

SORT KEYS


KEY            DESCRIPTION
count          sort by count (number of original log entries)
time           sort by log entry date (if count != 1, the date of the
               first original log line)
timeend        sort by log entry end date (if count != 1, the date of the
               last original log line)
input_iface    sort by input interface name
output_iface   sort by output interface name
sipaddr        sort by source IP address
dipaddr        sort by destination IP address
smacaddr       sort by source MAC address
dmacaddr       sort by destination MAC address
protocol       sort by protocol number
sport          sort by source port number (if available)
dport          sort by destination port number (if available)
tcpflags       sort by TCP flags
hostname       sort by hostname
chainlabel     sort by chain label
branchname     sort by branch name
datalen        sort by data length
format         sort by firewalling tool format
none           do not sort

 

FILTER EXPRESSION

This filtering expression looks very much like a Perl condition.

Variables are prefixed with `$'. Pre-defined variables are:

$format (string)
firewalling tool format
$count (integer)
number of original log entries
$start_time ([string] or integer)
log entry date (if count != 1, the date of the first original log line), in date format ([string], see below), or in seconds since the Epoch
$end_time ([string] or integer)
log entry end date (if count != 1, the date of the last original log line), in date format ([string], see below), or in seconds since the Epoch
$hostname (string)
name of the host which logged the packet
$chainlabel (string)
chain label
$branchname (string)
branch name
$input_iface (string)
input interface name
$output_iface (string)
output interface name
$protocol (integer)
protocol number (or name used in /etc/protocols)
$datalen (integer)
data length
$sipaddr (IP network)
source IP address, or source IP network
$sport (integer)
source port number (or name used in /etc/services) if protocol is UDP or TCP, and ICMP type number or name if protocol is ICMP (this may change in the future)
$smacaddr (MAC address)
source MAC address
$dipaddr (IP network)
destination IP address, or destination IP network
$dport (integer)
destination port number (or name used in /etc/services) if protocol is UDP or TCP, and ICMP code number or name if protocol is ICMP (this may change in the future)
$dmacaddr (MAC address)
destination MAC address
$tcpflags (integer)
TCP flags if protocol is TCP (flags can be a combination of SYN|ACK|RST|FIN|PSH|URG|ECE|CWR)

For integer and boolean values, the following operators can be used: ||, &&, ==, !=, <, >, <=, >=, &, |, ^, +, -.

String variables can be compared for strict equality with == and != operators, but also matched with an extended regular expression with =~ operator. Strings are quoted with " (like "foo"), and regexps with / (like /(foo|bar)/). Note that regexp matches only a subset of the string. You have to surround the regexp with ^ and $ if you want to match the whole string (that may change in the future). Like in Perl, you may add an optional i modifier after final /, to do case-insensitive pattern matching.

Date format is one that is accepted by the getdate C function. It must be enclosed in brackets [] and will be converted to an integer value which stands for the number of seconds since the epoch (01 Jan 1970 UTC 00:00). See DATE FORMAT section.

IP network can be an IP address, or an IP network (a.b.c.d/n.o.p.q or a.b.c.d/bitmask, or even things like a.b.*.* for a /16 mask, for example).

MAC addresses are of the form aa:bb:cc:dd:ee:ff. They can only be compared for strict equality (== and != operators).

 

DATE FORMAT

The string may contain many flavors of items: calendar date items, time of the day items, time zone items, day of the week item, relative items, or pure numbers. As expression can be quite complex, if you have doubt about the dates you specified, activate global verbose mode to show filter expression on stderr using absolute dates.
Calendar date
can be "1974-08-31", "74-8-31", "74-08-31", "8/31/74", "31 August 1974", "31 Aug 1974", "Aug 31, 1974", "31-aug-74", "31aug74". The year can be omitted (current year is then used).
Time of day
can be "02:50:00", "02:50", "2:50am".
Day of week
can be "Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday" or "Saturday", but can be abbreviated to their first three letters. A number may precede a day of the week item to move forward supplementary weeks. It is best used in expression like `third monday'. In this context, `last DAY' or `next DAY' is also acceptable; they move one week before or after the day that DAY by itself would represent.
Relative items
adjust a date (or the current date if none) forward or backward. It can be "1 year", "1 year ago", "3 years", "2 days", for example. You can also use "month", "week", "day", "hour", "minute" ("min"), and "second" ("sec"), or "now" ("today"), "yesterday", and "tomorrow". The string `this' also has the meaning of a zero-valued time displacement, but is preferred in date strings like `this thursday'.
Pure decimal number
precise intepretation depends on the context in the date string. If the decimal number is of the form YYYYMMDD and no other calendar date item appears before it in the date string, then YYYY is read as the year, MM as the month number and DD as the day of the month, for the specified calendar date. If the decimal number is of the form HHMM and no other time of day item appears before it in the date string, then HH is read as the hour of the day and MM as the minute of the hour, for the specified time of the day. MM can also be omitted.

 

EXAMPLES

wflogs -i netfilter -o html netfilter.log > logs.html
converts the given netfilter log file into a HTML report.

wflogs --sort=protocol,-time -i netfilter -o text netfilter.log > logs.txt
converts the given netfilter log file into a sorted (by protocol number, then reverse time) text report.

wflogs -f '$start_time >= [this 3 days ago] && $start_time < [this 2 days ago] && $chainlabel =~ /(DROP|REJECT)/ && $sipaddr == 10.0.0.0/8 && $protocol == tcp && ($dport == ssh || $dport == telnet) && ($tcpflags & SYN)' -i netfilter -o text --summary=no
shows log entries (without summary) which match the given expression (refused connection attempts that occured 3 days ago to ssh and telnet ports coming from internal network 10.0.0.0/8).

wflogs -i netfilter --resolve=0 --whois=0 netfilter.log
converts the given netfilter log file into a text report (default mode), disabling IP address reverse lookups and whois lookups.

wflogs -i netfilter -o xml netfilter.log > logs.xml
exports netfilter logs in XML.

wflogs -i ipchains -o netfilter ipchains.log > netfilter.log
converts ipchains logs into netfilter log format. So you may process them with your favorite netfilter log analyser, for example (even if the latter may not be better than wflogs itself. ;-)).

wflogs -i ipfilter -o human --datalen=yes ipfilter.log
produces a report about ipfilter logfile in natural language on stdout, displaying packet length (datalen option) which is not showed by default.

 

SEE ALSO

wfconvert(8), regex(7).  

BUGS

Bugs? What's this? ;-) Contributions are welcome, please see http://wallfire.org/.  

AUTHORS

wflogs has been written by Herve Eychenne. See http://wallfire.org/.

This man page has been initiated by Gregoire Hubert <greg@coolkeums.org>, and written by Herve Eychenne.


 

Index

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
INPUT MODULES
netfilter
ipchains
ipfilter
cisco_pix
cisco_ios
snort
OUTPUT MODULES
text
html
xml
human
netfilter
ipchains
ipfilter
SORT KEYS
FILTER EXPRESSION
DATE FORMAT
EXAMPLES
SEE ALSO
BUGS
AUTHORS

This document was created by man2html, using the manual pages.
Time: 22:41:47 GMT, April 16, 2011