fwanalog is a shell script that parses and summarizes firewall logfiles. It currently (version 0.6.9) understands logs from ipf (tested with OpenBSD 2.8's and 2.9's ipf, also FreeBSD, NetBSD and Solaris 8 with ipf (+ ipfw on FreeBSD)), OpenBSD 3.x pf, Linux 2.2 ipchains, Linux 2.4 iptables, some ZyXEL/NetGear routers and Cisco PIX, Watchguard Firebox, Firewall-One (not NG!), FreeBSD ipfw and Sonicwall firewalls.
I have tested it on Debian GNU/Linux "sid" with bash and OpenBSD 2.x and 3.x with ksh as /bin/sh. Other people use it on all kinds of Unix-like platforms.

(You might need to change the shebang line to bash on non-free Unixes that don't ship with a powerful enough /bin/sh.)

It can be easily extended for other logfile formats, all it takes is editing two regular expressions.

fwanalog uses the excellent log analysis program Analog (also free software) to create its reports. It does so by converting the firewall log into a fake web server log and calling Analog with a modified configuration.

fwanalog is free software, you can use, modify and copy it under the GNU GPL. No warranty.

Sample report

Download: fwanalog-0.6.4.tar.gz (2004-03-18, 126 kB, GPG signature)

Development version: fwanalog-0.6.9.tar.gz (2005-02-24, 118 kB, GPG signature)


Subscribe to the mailing list or view the mailing list archives.

Freshmeat page

My GPG public key (Fingerprint: 497D 8123 E4A2 346D 7185 A3AE 2F38 39FD 06A1 B5F1)


If you have a problem, first look into the mailing list archives; if you don't find a solution there, always write to the mailing list first, not to the author. This way, more people can help and the answers are documented in the list archive. Use private e-mail only if you are sending sensitive data (e.g. un-anonymized firewall logs or error logs). Provide all information that can be relevant to the solution of the problem (e.g. OS version, firewall software version, configuration etc.) instead of "it doesn't work!".
I will probably ignore e-mails that don't follow this policy.

If you have problems, please always try the development version. It works much better than the old stable version, especially with Cisco logfiles.

News in version 0.6.9

News in version 0.6.4

News in version 0.6.3

News in version 0.6.2

News in version 0.6.1

News in version 0.6

News in version 0.6pre

News in version 0.5

News in version 0.5pre

News in version 0.4

News in version 0.3

News in version 0.2.2

News in version 0.2.1

News in version 0.2

© Balázs Bárány. (Homepage) | datascientist.at
Last change: 2005-12-03.