fwanalog is a shell script that parses and summarizes firewall logfiles.
It currently (version 0.6.9) understands logs from ipf (tested with OpenBSD 2.8's and 2.9's ipf, also
FreeBSD, NetBSD and Solaris 8 with ipf (+ ipfw on FreeBSD)), OpenBSD 3.x pf,
Linux 2.2 ipchains, Linux 2.4 iptables,
some ZyXEL/NetGear routers and Cisco PIX, Watchguard Firebox, Firewall-One (not
NG!), FreeBSD ipfw and Sonicwall firewalls.
I have tested it on Debian GNU/Linux "sid" with
bash and OpenBSD 2.x and 3.x with ksh as /bin/sh.
Other people use it on all kinds of Unix-like platforms.
(You might need to change the shebang line to bash on non-free
Unixes that don't ship with a powerful enough /bin/sh.)
It can be easily extended for other logfile formats, all it takes is editing
two regular expressions.
fwanalog uses the excellent log analysis program
Analog (also free software) to create its
reports. It does so by converting the firewall log into a fake web server log
and calling Analog with a modified configuration.
fwanalog is free software, you can use, modify and copy it under the GNU GPL. No warranty.
Development version: fwanalog-0.6.9.tar.gz
Subscribe to the mailing
list or view the mailing list
My GPG public key (Fingerprint:
497D 8123 E4A2 346D 7185 A3AE 2F38 39FD 06A1 B5F1)
If you have a problem, first look into the mailing list archives; if you
don't find a solution there, always write to the mailing list first,
not to the author. This way, more people can help and the answers are
documented in the list archive. Use private e-mail only if you are sending
sensitive data (e.g. un-anonymized firewall logs or error logs). Provide all
information that can be relevant to the solution of the problem (e.g. OS
version, firewall software version, configuration etc.) instead of "it
I will probably ignore e-mails that don't follow this policy.
If you have problems, please always try the development version. It works
much better than the old stable version, especially with Cisco logfiles.
News in version 0.6.9
- New parsers for FreeBSD ipfw and Sonicwall formats (contributed)
- Avoid multiple executions with the same output directory
- Bugfixes (e.g. Cisco)
News in version 0.6.4
- Bugfixes in Cisco, Firewall-1 and iptables parsing
News in version 0.6.3
- Much better support for Cisco PIX firewall logs, including the access-list
- Support for Watchguard Firebox logs
- Support for Firewall-One logs
- Bugfixes in the error handling code
News in version 0.6.2
- New release because the latest Analog has a new langfile.
- Experimental support for Cisco PIX firewall logs.
News in version 0.6.1
- Bugfixes for problems found in 0.6. The
command line options should now always work as expected.
- Removed a bashism that caused problems for people who use strictly POSIX
News in version 0.6
- Made the creation of separate reports much faster (but it is still slow)
- Some bugfixes for problems found in 0.6pre
- Included a new services definition file with lots of rarely used ports
News in version 0.6pre
- Optionally creates separate reports for each blocked host and packet
- Support for logfiles of ZyXEL/NetGear routers
- Lots of bugfixes
- Information about how to use fwanalog as a normal (non-root) user
News in version 0.5
- Workaround for a problem with buggy RedHat 7.1 zegrep
- New in 0.5.1: updated language file for analog 5.21
News in version 0.5pre
- Support for Solaris and OpenBSD 3.0
- Portability fixes
- Support for iptables log prefixes
News in version 0.4
- Much faster with large logfiles (> 10 MB)
- Support for NetBSD
- -t option for updating only today's report (e.g. in an hourly cronjob)
- Added some common trojan ports
- Small bugfixes
News in version 0.3
- Bugfixes: ICMP on Linux 2.4, correct date for today.txt
- Support for firewalls with dynamic IP
News in version 0.2.2
- New FreeBSD mode
- Tested with OpenBSD 2.9
News in version 0.2.1
- fwanalog works with Analog 5.0 (new: pie charts for some reports)
- Corrected a regexp bug with changed iptables firewall logs
News in version 0.2
- fwanalog is included in Debian
unstable and linked from the Analog
helper applications page.
- Linux 2.2 ipchains support (tested with 17 MB of logs)
- "One Host mode" as suggested by Kenneth Vestergaard
- Language files are now auto-generated by a script.
- services.conf is converted from the services file of the popular port
scanner "nmap". So
fwanalog knows about most ports in use on the net.
© Balázs Bárány.