wflogs

See http://www.wallfire.org/wflogs/
Other info
http://freshmeat.net/projects/wflogs
http://linux.softpedia.com/get/Internet/Log-Analyzers/Wflogs-23257.shtml

Screenshot -> http://www.wallfire.org/wflogs/wflogs_html.png

Run
---
# wflogs /var/log/firewall -o html > /wflogs.html
connect: Connection timed out
terminate called after throwing an instance of 'std::out_of_range'
what(): basic_string::replace
Aborted

other urls links
http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=wflogs;dist=unstable
http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchtype=archives&counts=275&searchvalue=Cisco++

/// File Name: wflogs-0.9.8.tar.gz
Description:
Wflogs is a firewall log analysis tool. It can be used to produce a log summary report in plain text, HTML, and XML, or to monitor firewalling logs in real-time. For now, netfilter, ipchains, ipfilter, Cisco_pix, Cisco_ios, and snort input formats are supported. It is particularly fast when asynchronous DNS resolution is enabled. The goal of the WallFire project is to build a very general and modular firewalling application based on Netfilter or any kind of low-level framework. Wflogs is part of the WallFire project, but can be used independently.
Author: Herve Eychenne [mailto:rv[at]eychenne.org]
Homepage: http://www.wallfire.org/wflogs/

Wflogs 0.9.8 description - from http://linux.wareseeker.com/Internet/wflogs-0.9.8.zip/319955
Wflogs is a firewall log analysis tool. It can be used to produce a log summary report in plain text, HTML and XML, or to monitor firewalling logs in real-time.
This project is part of the WallFire project, but can be used independently.

Usage examples:
wflogs -i netfilter -o html netfilter.log > logs.html
converts the given netfilter log file into a HTML report.
wflogs --sort=protocol,-time -i netfilter -o text netfilter.log > logs.txt
converts the given netfilter log file into a sorted (by protocol number, then reverse time) text report.
wflogs -f $start_time >= [this 3 days ago] && $start_time < [this 2 days ago] && $chainlabel =~ /(DROP|REJECT)/ && $sipaddr == 10.0.0.0/8 && $protocol == tcp && ($dport == ssh || $dport == telnet) && ($tcpflags & SYN) -i netfilter -o text --summary=no
shows log entries (without summary) which match the given expression (refused connection attempts that occured 3 days ago to ssh and telnet ports coming from internal network 10.0.0.0/8).

wflogs -i netfilter -o text --resolve=0 --whois=0 netfilter.log
converts the given netfilter log file into a text report (default mode), disabling IP address reverse lookups and whois lookups.

wflogs -i netfilter -o xml netfilter.log > logs.xml
exports netfilter logs in XML.

wflogs -i ipchains -o netfilter ipchains.log > netfilter.log
converts ipchains logs into netfilter log format. So you may process them with your favorite netfilter log analyser, for example (even if the latter may not be better than wflogs itself.

wflogs -i ipfilter -o human --datalen=yes ipfilter.log
produces a report about ipfilter logfile in natural language on stdout, displaying packet length (datalen option) which is not showed by default.

wflogs -R -I
monitors logs in real-time in an interactive shell, waiting for logs in the default system logfile, in guessed format (according to the local firewalling tool).

Supported systems
WallFire is intended to work on real systems such as Unix, especially Linux and *BSD.
Current wflogs input modules are:
- netfilter (Linux 2.4 and 2.6 firewall logs)
- ipchains (Linux 2.2 firewall logs)
- ipfilter (NetBSD, FreeBSD, OpenBSD, Solaris, SunOS 4, IRIX and HP-UX running ipfilter firewall logs).
- cisco_pix (Cisco PIX filter logs)
- cisco_ios (Cisco IOS filter logs)
- snort (Snort ACLs logs)
Please note that input modules are available on any architecture on which wflogs can run (for example, you can perfectly parse Cisco PIX logs on a Linux box).
Enhancements:
- Improved matching of netfilter and ipfilter input modules.
- Added support for Cisco FWSM (PIX).
- Improved netfilter parsing.
- Compilation fixes for *BSD.
- Added wflogs.dtd.
- Added wfchkintegrity tool, which enables to monitor changes in the firewalling configuration.
- Fixed buffer sizes for some input modules.
- Fixed parsing with recent flex versions
Last change
===========
%configure --with-wfnetobjs-libdir=%{_libdir}
===========
BuildRequires: libwfnetobjs0 , libwfnetobjs-devel

Last error
==========
configure: error: wfnetobjs-libdir: no directory found, use configure option
error: Bad exit status from /var/tmp/rpm-tmp.iD89CM (%build)

build20 started "build wflogs.spec" at Sun Sep 27 04:16:16 UTC 2009.

configure: error: wfnetobjs-libdir: no directory found, use configure option
error: Bad exit status from /var/tmp/rpm-tmp.EReXAK (%build)

RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.EReXAK (%build)
System halted.

last change made
================
BuildRequires: wfnetobjs , libwfnetobjs-devel , libtool , automake , gcc-c++

-

if test -x ./configure; then
# removed
# %configure
fi
# %configure --with-wfnetobjs-libdir=/usr/include/wallfire/

# added line
%configure --with-wfnetobjs-libdir=%buildroot/usr/include/wallfire
make

previous change
from http://lists.opensuse.org/opensuse-packaging/2009-09/msg00106.html
Added in

BuildRequires: libwfnetobjs-devel , libtool , automake

if test -x ./configure; then
# removed
# %configure
# added in
%configure --with-wfnetobjs-libdir=/usr/include/wallfire/
fi
make

In log
installing libwfnetobjs0-0.2.4-1.1

Last log error
--------------
Last log
build17 started "build wflogs.spec" at Tue Sep 15 17:39:34 UTC 2009.

configure: error: wfnetobjs-libdir: no directory found, use configure option
error: Bad exit status from /var/tmp/rpm-tmp.Gs6vRS (%build)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.Gs6vRS (%build)
System halted.

Depends on info
----------------
Actually requires adding two packages libwfnetobjs0 and Wflogs that requires libadns

For "libwfnetobjs" see http://software.opensuse.org/download/home:/elvigia/ is the repository,

Needed to install libwfnetobjs0-0.2.4-4.2.x86_64.rpm first using in obs somehow
# rpm -ivhU libwfnetobjs0-0.2.4-4.2.x86_64.rpm

64bit
/bin/rpm rpm -ivhU http://download.opensuse.org/repositories/home:/elvigia/openSUSE_Factory/x86_64/libwfnetobjs0-0.2.4-4.49.x86_64.rpm
32 bit
/bin/rpm rpm -ivhU http://download.opensuse.org/repositories/home:/elvigia/openSUSE_Factory/i586/libwfnetobjs0-0.2.4-4.49.i586.rpm

wflogs can be called like this
# wflogs /var/log/firewall -o html > /wflogs.html

# ./configure --with-wfnetobjs-libdir=/usr/include/wallfire/

other info on how to link example
https://build.opensuse.org/package/view_file?file=_link&package=bonnie%2B%2B&project=filesystems

other - need libwfnetobjs.so.0
# /usr/local/bin/wflogs /var/log/firewall -o html > /wflogs.html
/usr/local/bin/wflogs: error while loading shared libraries: libwfnetobjs.so.0: cannot open shared object file: No such file or directory

Link in libwfnetobjs

I found out how to create the link

- click the '[Link Package from other Project]' item
- Fill in value for 'Name of original project:' -> home:elvigia
- Fill in value for 'Name of package in original project:' -> wfnetobjs
- Leave last box

Install the rpm
/bin/rpm rpm -ivhU http://download.opensuse.org/repositories/openSUSE:/11.0/standard/src/monit-4.10.1-40.1.src.rpm

Clicked Create link.
Also need
http://lists.opensuse.org/opensuse-packaging/2009-08/msg00215.html
http://lists.opensuse.org/opensuse-packaging/2009-08/msg00222.html

- How do I link in wfnetobjs to my wflogs project so it can compile.

Build against the repository of wflogs, i.e go into the web page for your package,
choose [Add Repository]->Advanced] and then select something like
home:sample:project/openSUSE_Factory instead of plain openSUSE:Factory.

list of files (from debian)
/etc/cron.daily/wflogs_email
/etc/cron.daily/wflogs_report
/etc/logrotate.d/wflogs
/usr/bin/wflogs
/usr/sbin/wfchkintegrity
/usr/share/doc/wflogs/README
/usr/share/doc/wflogs/TODO
/usr/share/doc/wflogs/changelog.Debian.gz
/usr/share/doc/wflogs/changelog.gz
/usr/share/doc/wflogs/copyright
/usr/share/doc/wflogs/examples/test/logs_cisco_ios1
/usr/share/doc/wflogs/examples/test/logs_cisco_pix1
/usr/share/doc/wflogs/examples/test/logs_ipchains1
/usr/share/doc/wflogs/examples/test/logs_ipfilter1
/usr/share/doc/wflogs/examples/test/logs_netfilter1
/usr/share/doc/wflogs/examples/test/logs_snort_alert1
/usr/share/doc/wflogs/examples/test/logs_snort_syslog1
/usr/share/locale/fr/LC_MESSAGES/wflogs.mo
/usr/share/man/man8/wflogs.8.gz

Expected output
# ./configure --with-wfnetobjs-libdir=/usr/include/wallfire/

Summary of configuration settings:
base directory: /usr/local

static input modules: netfilter ipchains ipfilter cisco_pix cisco_ios snort
dynamic input modules:
static output modules: netfilter ipchains ipfilter text html xml human
dynamic output modules:
wfnetobjs includes directory: /usr/include/wallfire
wfnetobjs library directory: /usr/include/wallfire/
modules directory: /usr/local/lib/wflogs
default log file: /var/log/messages

other sample builds
http://www.linux-m32r.org/pipermail/build-status/Week-of-Mon-20080512/126396.html
http://daniel.debian.net/packages-sponsoring/chris-lamb/wflogs/0.9.8-6.2/
http://packages.debian.org/squeeze/amd64/wflogs/download
http://packages.debian.org/source/lenny/wflogs

Refresh
Refresh
Source Files
Filename Size Changed Actions
project.diff 0000003542 3.46 KB over 9 years
wflogs-0.9.8.tar.gz 0000749272 732 KB about 10 years
wflogs-includes.patch 0000005007 4.89 KB over 9 years
wflogs.png 0000020149 19.7 KB over 9 years
wflogs.spec 0000002183 2.13 KB almost 4 years
z-build-ok-wflogs.log 0000073746 72 KB almost 7 years
Comments for wflogs 0