adcfw-log(1) - Linux man page

Name

adcfw-log: firewall logs analyzer/summarizer

Synopsis

adcfw-log [ -h | --version ]
adcfw-log [ OPTIONS ] [ logfile ]

Description

adcfw-log is a tool for analyzing firewall logs in order to extract meaningful information. It is designed to be a standalone script with very few requirements that can generate different kinds of reports, such as fully formatted reports of what had been logged, with summaries by source or destination host, the type of service, or protocol. There are also options to filter the input data by date, host, protocol, service, and so on.

Only netfilter log format is supported at this time.

Features

These are the features currently provided by adcfw-log

• support for netfilter log format
• log entries filtering based on protocol, source host, destination host, service, prefix, input and output interfaces
• reports based on protocol, source or destination host, service
• summaries based on source host, destination host, prefix and service

Options

--detailed

Print a more detailed summary. Requires option -s and is meaningless in report context.

-h, --help

Prints help.

--in-interface <interface>

Analyze only packets received from interface <interface>.

--out-interface <interface>

Analyze only packets transmitted through interface <interface>.

--prefix <prefix>

Filter log entries on user defined prefix basis. <prefix> must exactly matches the prefix associated with the log entry; match is case sensitive.

--protocol <protocol>

Filter log entries on a protocol basis. Legal values are tcp, udp, icmp.

-r, --report <report>

Prints the specific report. See section AVAILABLE REPORTS below for a list of legal values for this option.

-s, --summary <summary>

Prints the specific summary. See section AVAILABLE SUMMARIES below for a list of legal values for this option.

--service <port num>

Analyze only entries with <service> as destination port.

--source-host <host>

Analyze only entries with <host> as source host. Host must be specified in xxx.xxx.xxx.xxx format.

--version

Prints version number.

Available Reports

raw

This is a protocol independent report. Includes date, source and destination hosts, source and destination ports, input and output interfaces, protocol. This is the default report.

source_host

This is a protocol independent report based on source host. Informations are grouped by source host, including date, source and destination ports, destination host, input and output interfaces, protocol and additional tcp flags or icmp type (where applicable).

destination_host

This is a protocol independent report based on destination host. Informations are grouped by destination host, including date, source and destination ports, source host, input and output interfaces, protocol and additional tcp flags or icmp type (where applicable).

service

This a service based report. Informations are grouped by service, including date, input and output interfaces, source host and port, destination host, protocol and tcp flags information (if applicable). Only tcp and udp packets are displayed.

Available Summaries

source_host

This is a source host based summary. A total packet count is printed for each host. The detailed version reports the destination host and service/icmp type too.

destination_host

This is a destination host based summary. A total packet count is printed for each host. The detailed version reports the source host and service/icmp type too.

prefix

This is a prefix based summary. A total packet count is printed for each prefix. The detailed version of the summary reports the source and destination hosts as well.

service

This is a service based summary. A total packet count is printed for each service. The detailed version of the summary reports the source and destination hosts too. Only tcp and udp packets are reported.

Usage Examples

#> adcfw-log /var/log/syslog

All the entries logged in /var/log/syslog are reported. raw report is used (this is the default).

#> adcfw-log --report source_host /var/log/syslog

Same as above, but source_host report is used.

#> adcfw-log --summary source_host /var/log/syslog

Informations are printed using a source host based summary.

#> grep "Sep 22" /var/log/syslog | adcfw-log

All log entries are read from the standard input and reported using raw report.

#> grep "Sep 22" /var/log/syslog | adcfw-log --protocol icmp

Same as above, but only icmp packets are reported.

#> cat /var/log/syslog | adcfw-log --in-interface eth1

Reports only packets received on interface eth1.

Links

adcfw-log can be downloaded from:

http://adcfw-log.sourceforge.net/

adcfw-log is distributed under the terms of GPL version 2

Authors

Alessandro Dotti Contra <alessandro@hyboria.org>

Bugs

Please report bugs to <alessandro@hyboria.org>

site search Google Custom Search

Library

online dictionary

linux docs

linux man pages

page load time

Toys

world sunlight

moon phase

trace explorer