man wflogs (Administration système) - firewall log analyser of the WallFire project.
NAME
wflogs - firewall log analyser of the WallFire project.
SYNOPSIS
wflogs [options] [logfile]
DESCRIPTION
wflogs
is a firewall log analyser. It can be used to produce a log summary report
in plain text, HTML and XML, or even to translate a log file into another
firewall log format, for example.
Logs can be filtered, summarized, sorted, and obfuscated (in that order),
using the following options.
By default, output is not sorted, and may be summarized if the output
module has a `summary' option and if this option is set to `yes' (even
by default value).
You have to specify a module name that will handle the input (parsing)
and another for the output (exportation). See MODULES sections below.
With no logfile, wflogs read /var/log/messages.
When logfile is `-', it reads standard input.
OPTIONS
- -c | --config file
- wflogs will use given configuration file. If not specified, wflogs will not use any configuration file and will only use command line options.
- -f | --filter expression
- Print log entries that match the boolean expression. This expression looks very much like a Perl condition, which must be passed as a single, quoted argument. If no expression is given, all log entries will be dumped. Otherwise, only entries for which expression is `true' will be dumped. See the FILTER EXPRESSION section below.
- -i | --input-format format[,format2,...]
- Specify the input parsing modules. Wflogs will use the corresponding modules (if available) to parse the logs. If you want to parse a log file with multiple formats mixed (typically a remote syslog file), you can specify several format module names separated by commas, one being probed after another. Use special name `all' to try every available format. If you omit the `-i' option, wflogs will try to guess the local firewalling tool at runtime, and use the corresponding module. Use format `help' to know which modules are available (currently, `netfilter', `ipchains', `ipfilter', `cisco_pix', `cisco_ios', and `snort'), and which is the default (guessed) module. See INPUT MODULES section below.
- -I, --interactive
- Interactive mode. The program will not terminate, but enter a little
interactive shell.
This option can be used in conjonction with real-time mode (-R option). While in non-interactive real-time mode (-R only), signal USR1 enables to fall back into interactive mode. - -o | --output-type type [ output module options ]
- Specify the output module type. Wflogs will use the
corresponding module (if available) to export the input logs to the
corresponding target.
Use type `help' to know which modules are available (currently,
`text', `html', `xml', `human', `netfilter', `ipchains', and `ipfilter').
Default mode is `text'.
See OUTPUT MODULES section below.
Output module configuration can be achieved via the command line. You can specify long options (with a `--' prefix). Three types are supported: boolean (yes or no), integer, and string. A special option `--options' displays the available options of the module, with type, help message, and default value. For example, wflogs -o html --options shows the HTML output module configuration. - -O | --obfuscate [criterias]
- This option obfuscates some logging fields according to given criterias,
separated by commas. These can be `date', `hostname', `ipaddr', or `macaddr'
(or `all' for everything). Default (if no criteria is given) is `all'.
If ipaddr is specified, output module options `resolve' and `whois_lookup'
(if available) are set to no. If macaddr is specified, output module
option `mac_vendor' (if available) is set to no.
Date order is conserved, hostnames are replaced by "hostx" (where x is a growing number), ipaddr belong to 0.0.0.0/8 network, macaddr are of the form 0:0:0:0:0:1, 0:0:0:0:0:2, etc. Note that for all obfuscated fields, each original value is associated with a new unique one (unicity is preserved). - -P | --proceed
- If real-time (-R) or interactive (-I) modes are set, first process log entries in the input logfile before entering in these modes, as these entries won't be parsed by default in these modes.
- -R | --realtime
- ``Real-time'' mode: logs are monitored in real-time. Wflogs will
wait for new log entries. Entries already present in the input logfile
will not be processed as usual, unless you specify -P option.
This option can be used in conjonction with interactive mode (-I option). While in non-interactive real-time mode (-R only), signal USR1 enables to fall back into interactive mode. - -s | --sort[=criteria_list]
- Set output lines sort order according to the multilevel sort specified by the sequence of keys key1,key2,... Syntax is --sort=[+|-]key1[,[+|-]key2[,...]]. Choose a key from the SORT KEYS section. `-' reverses direction only on the key it precedes. The `+' is really optional since default direction is increasing numerical or lexicographic order. For example wflogs --sort=dport,-time sorts according to destination port number, then reverse time (for a given port number). If one of the keys is `none', the output is not sorted. Use key `help' to show available keys. If no sort criteria is given, output is sorted by with `-count,time,dipaddr,protocol,dport'.
- --strict-parsing type
- Set the parsing policy. Available types are: `loose' (even if there are garbage in the input file or incorrect log lines, parse as much as possible and issue no warning at all), `nowarning' (in this case, issue no warnings, ignore non-log lines but do not store incoherent entries), `warning' (issue warnings on stderr, ignore non-log lines but do not store bizarre entries), and `error' (stop parsing if line is not a log entry, or if entry is bizarre). Default type is `warning'.
- -v | --verbose [level]
- Set verbosity level. If level is omitted, default value is 1.
- -V | --version
- Display current version.
- -h | --help
- Show help message on stdout.
INPUT MODULES
wflogs can use extended input modules, each one parsing a specific firewall log format. See option -i.
netfilter
This module parse the netfilter log format.
ipchains
This module parse the ipchains log format.
ipfilter
This module parse the ipfilter log format.
cisco_pix
This module parse the cisco PIX and cisco FWSM log format.
cisco_ios
This module parse the cisco IOS log format.
snort
This module parse the snort IDS ACLs log format.
OUTPUT MODULES
wflogs can use extended output modules, which enable to export the input logs to a particular format. So it can be used to rewrite the input into another firewall log format or generate a report, for example. See option -o. Summary mode depends on the module, and is configurable through the `summary' module option.
text
This module produces a summary in text mode. Please note that this text output is not intended to be parsed. Use XML output module instead.
html
This module produces a summary output in HTML format.
xml
This module produces a summary in XML format (see wflogs DTD).
human
This module produces a summary in text format, in a human readable form. Newcomers may like it. ;-)
netfilter
This module exports input logs to netfilter log syntax.
ipchains
This module exports input logs to ipchains log syntax.
ipfilter
This module exports input logs to ipfilter log syntax.
SORT KEYS
KEY DESCRIPTION count sort by count (number of original log entries) time sort by log entry date (if count != 1, the date of the first original log line) timeend sort by log entry end date (if count != 1, the date of the last original log line) input_iface sort by input interface name output_iface sort by output interface name sipaddr sort by source IP address dipaddr sort by destination IP address smacaddr sort by source MAC address dmacaddr sort by destination MAC address protocol sort by protocol number sport sort by source port number (if available) dport sort by destination port number (if available) tcpflags sort by TCP flags hostname sort by hostname chainlabel sort by chain label branchname sort by branch name datalen sort by data length format sort by firewalling tool format none do not sort
FILTER EXPRESSION
This filtering expression looks very much like a Perl condition.
Variables are prefixed with `$'. Pre-defined variables are:
- $format (string)
- firewalling tool format
- $count (integer)
- number of original log entries
- $start_time ([string] or integer)
- log entry date (if count != 1, the date of the first original log line), in date format ([string], see below), or in seconds since the Epoch
- $end_time ([string] or integer)
- log entry end date (if count != 1, the date of the last original log line), in date format ([string], see below), or in seconds since the Epoch
- $hostname (string)
- name of the host which logged the packet
- $chainlabel (string)
- chain label
- $branchname (string)
- branch name
- $input_iface (string)
- input interface name
- $output_iface (string)
- output interface name
- $protocol (integer)
- protocol number (or name used in /etc/protocols)
- $datalen (integer)
- data length
- $sipaddr (IP network)
- source IP address, or source IP network
- $sport (integer)
- source port number (or name used in /etc/services) if protocol is UDP or TCP, and ICMP type number or name if protocol is ICMP (this may change in the future)
- $smacaddr (MAC address)
- source MAC address
- $dipaddr (IP network)
- destination IP address, or destination IP network
- $dport (integer)
- destination port number (or name used in /etc/services) if protocol is UDP or TCP, and ICMP code number or name if protocol is ICMP (this may change in the future)
- $dmacaddr (MAC address)
- destination MAC address
- $tcpflags (integer)
- TCP flags if protocol is TCP (flags can be a combination of SYN|ACK|RST|FIN|PSH|URG|ECE|CWR)
For integer and boolean values, the following operators can be used: ||, &&, ==, !=, <, >, <=, >=, &, |, ^, +, -.
String variables can be compared for strict equality with == and != operators, but also matched with an extended regular expression with =~ operator. Strings are quoted with " (like "foo"), and regexps with / (like /(foo|bar)/). Note that regexp matches only a subset of the string. You have to surround the regexp with ^ and $ if you want to match the whole string (that may change in the future). Like in Perl, you may add an optional i modifier after final /, to do case-insensitive pattern matching.
Date format is one that is accepted by the getdate C function. It must be enclosed in brackets [] and will be converted to an integer value which stands for the number of seconds since the epoch (01 Jan 1970 UTC 00:00). See DATE FORMAT section.
IP network can be an IP address, or an IP network (a.b.c.d/n.o.p.q or a.b.c.d/bitmask, or even things like a.b.*.* for a /16 mask, for example).
MAC addresses are of the form aa:bb:cc:dd:ee:ff. They can only be compared for strict equality (== and != operators).
DATE FORMAT
The string may contain many flavors of items: calendar date items, time of the day items, time zone items, day of the week item, relative items, or pure numbers. As expression can be quite complex, if you have doubt about the dates you specified, activate global verbose mode to show filter expression on stderr using absolute dates.
- Calendar date
- can be "1974-08-31", "74-8-31", "74-08-31", "8/31/74", "31 August 1974", "31 Aug 1974", "Aug 31, 1974", "31-aug-74", "31aug74". The year can be omitted (current year is then used).
- Time of day
- can be "02:50:00", "02:50", "2:50am".
- Day of week
- can be "Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday" or "Saturday", but can be abbreviated to their first three letters. A number may precede a day of the week item to move forward supplementary weeks. It is best used in expression like `third monday'. In this context, `last DAY' or `next DAY' is also acceptable; they move one week before or after the day that DAY by itself would represent.
- Relative items
- adjust a date (or the current date if none) forward or backward. It can be "1 year", "1 year ago", "3 years", "2 days", for example. You can also use "month", "week", "day", "hour", "minute" ("min"), and "second" ("sec"), or "now" ("today"), "yesterday", and "tomorrow". The string `this' also has the meaning of a zero-valued time displacement, but is preferred in date strings like `this thursday'.
- Pure decimal number
- precise intepretation depends on the context in the date string. If the decimal number is of the form YYYYMMDD and no other calendar date item appears before it in the date string, then YYYY is read as the year, MM as the month number and DD as the day of the month, for the specified calendar date. If the decimal number is of the form HHMM and no other time of day item appears before it in the date string, then HH is read as the hour of the day and MM as the minute of the hour, for the specified time of the day. MM can also be omitted.
EXAMPLES
wflogs -i netfilter -o html netfilter.log > logs.html
converts the given netfilter log file into a HTML report.
wflogs --sort=protocol,-time -i netfilter -o text netfilter.log > logs.txt
converts the given netfilter log file into a sorted (by protocol number,
then reverse time) text report.
wflogs -f '$start_time >= [this 3 days ago] && $start_time < [this 2 days ago] && $chainlabel =~ /(DROP|REJECT)/ && $sipaddr == 10.0.0.0/8 && $protocol == tcp && ($dport == ssh || $dport == telnet) && ($tcpflags & SYN)' -i netfilter -o text --summary=no
shows log entries (without summary) which match the given expression
(refused connection attempts that occured 3 days ago to ssh and telnet
ports coming from internal network 10.0.0.0/8).
wflogs -i netfilter --resolve=0 --whois=0 netfilter.log
converts the given netfilter log file into a text report (default mode),
disabling IP address reverse lookups and whois lookups.
wflogs -i netfilter -o xml netfilter.log > logs.xml
exports netfilter logs in XML.
wflogs -i ipchains -o netfilter ipchains.log > netfilter.log
converts ipchains logs into netfilter log format. So you may process them
with your favorite netfilter log analyser, for example (even if the latter
may not be better than wflogs itself. ;-)).
wflogs -i ipfilter -o human --datalen=yes ipfilter.log
produces a report about ipfilter logfile in natural language on stdout,
displaying packet length (datalen option) which is not showed by default.
SEE ALSO
BUGS
Bugs? What's this? ;-) Contributions are welcome, please see http://wallfire.org/.
AUTHORS
wflogs has been written by Herve Eychenne. See http://wallfire.org/.
This man page has been initiated by Gregoire Hubert <greg@coolkeums.org>, and written by Herve Eychenne.