Provided by: wflogs_0.9.8-4.1_i386 bug

NAME

       wflogs - firewall log analyser of the WallFire project.

SYNOPSIS

       wflogs [options] [logfile]

DESCRIPTION

       wflogs  is  a  firewall  log  analyser. It can be used to produce a log
       summary report in plain text, HTML and XML, or even to translate a  log
       file  into  another  firewall  log  format,  for  example.  Logs can be
       filtered, summarized, sorted, and obfuscated (in that order), using the
       following options.
       By  default,  output is not sorted, and may be summarized if the output
       module has a ‘summary’ option and if this option is set to ‘yes’  (even
       by default value).
       You  have to specify a module name that will handle the input (parsing)
       and another for the output (exportation). See MODULES sections below.
       With no logfile, wflogs read /var/log/messages.  When logfile  is  ‘-’,
       it reads standard input.

OPTIONS

       -c | --config file
              wflogs  will  use  given  configuration file.  If not specified,
              wflogs will not use any configuration file  and  will  only  use
              command line options.

       -f | --filter expression
              Print  log  entries  that  match  the  boolean expression.  This
              expression looks very much like a Perl condition, which must  be
              passed as a single, quoted argument.  If no expression is given,
              all log entries will be dumped.   Otherwise,  only  entries  for
              which  expression  is  ‘true’  will  be  dumped.  See the FILTER
              EXPRESSION section below.

       -i | --input-format format[,format2,...]
              Specify  the  input  parsing  modules.   Wflogs  will  use   the
              corresponding  modules (if available) to parse the logs.  If you
              want to parse a log file with multiple formats mixed  (typically
              a  remote  syslog  file),  you can specify several format module
              names separated by commas, one being probed after another.   Use
              special  name  ‘all’ to try every available format.  If you omit
              the ‘-i’ option, wflogs will try to guess the local  firewalling
              tool  at  runtime, and use the corresponding module.  Use format
              ‘help’  to  know  which  modules   are   available   (currently,
              ‘netfilter’,  ‘ipchains’,  ‘ipfilter’, ‘cisco_pix’, ‘cisco_ios’,
              and ‘snort’), and which is the default  (guessed)  module.   See
              INPUT MODULES section below.

       -I, --interactive
              Interactive  mode.   The program will not terminate, but enter a
              little interactive shell.
              This option can be used in conjonction with real-time  mode  (-R
              option).   While  in  non-interactive  real-time mode (-R only),
              signal USR1 enables to fall back into interactive mode.

       -o | --output-type type [ output module options ]
              Specify  the  output  module  type.    Wflogs   will   use   the
              corresponding  module (if available) to export the input logs to
              the corresponding target.  Use type ‘help’ to know which modules
              are   available  (currently,  ‘text’,  ‘html’,  ‘xml’,  ‘human’,
              ‘netfilter’,  ‘ipchains’,  and  ‘ipfilter’).   Default  mode  is
              ‘text’.  See OUTPUT MODULES section below.
              Output  module  configuration  can  be  achieved via the command
              line.  You can specify long options (with a ‘--’ prefix).  Three
              types  are  supported: boolean (yes or no), integer, and string.
              A special option ‘--options’ displays the available  options  of
              the  module,  with  type,  help message, and default value.  For
              example, wflogs -o html --options shows the HTML  output  module
              configuration.

       -O | --obfuscate [criterias]
              This  option  obfuscates  some logging fields according to given
              criterias, separated by commas. These can be ‘date’, ‘hostname’,
              ‘ipaddr’, or ‘macaddr’ (or ‘all’ for everything). Default (if no
              criteria is given) is ‘all’.  If  ipaddr  is  specified,  output
              module  options  ‘resolve’ and ‘whois_lookup’ (if available) are
              set to  no.  If  macaddr  is  specified,  output  module  option
              ‘mac_vendor’ (if available) is set to no.
              Date  order  is  conserved,  hostnames  are  replaced by "hostx"
              (where x is  a  growing  number),  ipaddr  belong  to  0.0.0.0/8
              network,  macaddr are of the form 0:0:0:0:0:1, 0:0:0:0:0:2, etc.
              Note that for all obfuscated  fields,  each  original  value  is
              associated with a new unique one (unicity is preserved).

       -P | --proceed
              If  real-time  (-R)  or  interactive  (-I)  modes are set, first
              process log entries in the  input  logfile  before  entering  in
              these  modes,  as  these  entries  won’t be parsed by default in
              these modes.

       -R | --realtime
              ‘‘Real-time’’ mode: logs are  monitored  in  real-time.   Wflogs
              will  wait  for new log entries.  Entries already present in the
              input logfile will not be processed as usual, unless you specify
              -P option.
              This option can be used in conjonction with interactive mode (-I
              option).  While in non-interactive  real-time  mode  (-R  only),
              signal USR1 enables to fall back into interactive mode.

       -s | --sort[=criteria_list]
              Set  output  lines  sort  order according to the multilevel sort
              specified by the  sequence  of  keys  key1,key2,...   Syntax  is
              --sort=[+|-]key1[,[+|-]key2[,...]].   Choose a key from the SORT
              KEYS section.   ‘-’  reverses  direction  only  on  the  key  it
              precedes.  The ‘+’ is really optional since default direction is
              increasing numerical or lexicographic order.  For example wflogs
              --sort=dport,-time  sorts  according to destination port number,
              then reverse time (for a given port number).  If one of the keys
              is  ‘none’,  the  output  is not sorted.  Use key ‘help’ to show
              available keys.  If no sort criteria is given, output is  sorted
              by with ‘-count,time,dipaddr,protocol,dport’.

       --strict-parsing type
              Set  the  parsing policy.  Available types are: ‘loose’ (even if
              there are garbage in the input  file  or  incorrect  log  lines,
              parse  as  much  as  possible  and  issue  no  warning  at all),
              ‘nowarning’ (in this case, issue  no  warnings,  ignore  non-log
              lines  but  do  not  store incoherent entries), ‘warning’ (issue
              warnings on stderr,  ignore  non-log  lines  but  do  not  store
              bizarre entries), and ‘error’ (stop parsing if line is not a log
              entry, or if entry is bizarre).  Default type is ‘warning’.

       -v | --verbose [level]
              Set verbosity level.  If level is omitted, default value is 1.

       -V | --version
              Display current version.

       -h | --help
              Show help message on stdout.

INPUT MODULES

       wflogs can use extended input modules,  each  one  parsing  a  specific
       firewall log format.  See option -i.

   netfilter
       This module parse the netfilter log format.

   ipchains
       This module parse the ipchains log format.

   ipfilter
       This module parse the ipfilter log format.

   cisco_pix
       This module parse the cisco PIX and cisco FWSM log format.

   cisco_ios
       This module parse the cisco IOS log format.

   snort
       This module parse the snort IDS ACLs log format.

OUTPUT MODULES

       wflogs  can  use  extended  output  modules, which enable to export the
       input logs to a particular format.  So it can be used  to  rewrite  the
       input  into  another  firewall  log  format  or  generate a report, for
       example.  See option -o.  Summary mode depends on the  module,  and  is
       configurable through the ‘summary’ module option.

   text
       This  module  produces  a  summary in text mode.  Please note that this
       text output is not intended  to  be  parsed.   Use  XML  output  module
       instead.

   html
       This module produces a summary output in HTML format.

   xml
       This module produces a summary in XML format (see wflogs DTD).

   human
       This  module  produces  a  summary  in text format, in a human readable
       form.  Newcomers may like it. ;-)

   netfilter
       This module exports input logs to netfilter log syntax.

   ipchains
       This module exports input logs to ipchains log syntax.

   ipfilter
       This module exports input logs to ipfilter log syntax.

SORT KEYS

       KEY            DESCRIPTION
       count          sort by count (number of original log entries)
       time           sort by log entry date (if count != 1, the date of the
                      first original log line)
       timeend        sort by log entry end date (if count != 1, the date of the
                      last original log line)
       input_iface    sort by input interface name
       output_iface   sort by output interface name
       sipaddr        sort by source IP address
       dipaddr        sort by destination IP address
       smacaddr       sort by source MAC address
       dmacaddr       sort by destination MAC address
       protocol       sort by protocol number
       sport          sort by source port number (if available)
       dport          sort by destination port number (if available)
       tcpflags       sort by TCP flags
       hostname       sort by hostname
       chainlabel     sort by chain label
       branchname     sort by branch name
       datalen        sort by data length
       format         sort by firewalling tool format
       none           do not sort

FILTER EXPRESSION

       This filtering expression looks very much like a Perl condition.

       Variables are prefixed with ‘$’.  Pre-defined variables are:

       $format (string)
              firewalling tool format

       $count (integer)
              number of original log entries

       $start_time ([string] or integer)
              log entry date (if count != 1, the date of  the  first  original
              log  line),  in date format ([string], see below), or in seconds
              since the Epoch

       $end_time ([string] or integer)
              log entry end date (if count != 1, the date of the last original
              log  line),  in date format ([string], see below), or in seconds
              since the Epoch

       $hostname (string)
              name of the host which logged the packet

       $chainlabel (string)
              chain label

       $branchname (string)
              branch name

       $input_iface (string)
              input interface name

       $output_iface (string)
              output interface name

       $protocol (integer)
              protocol number (or name used in /etc/protocols)

       $datalen (integer)
              data length

       $sipaddr (IP network)
              source IP address, or source IP network

       $sport (integer)
              source port number (or name used in /etc/services)  if  protocol
              is  UDP or TCP, and ICMP type number or name if protocol is ICMP
              (this may change in the future)

       $smacaddr (MAC address)
              source MAC address

       $dipaddr (IP network)
              destination IP address, or destination IP network

       $dport (integer)
              destination port number  (or  name  used  in  /etc/services)  if
              protocol is UDP or TCP, and ICMP code number or name if protocol
              is ICMP (this may change in the future)

       $dmacaddr (MAC address)
              destination MAC address

       $tcpflags (integer)
              TCP flags if protocol is TCP (flags  can  be  a  combination  of
              SYN|ACK|RST|FIN|PSH|URG|ECE|CWR)

       For  integer  and  boolean values, the following operators can be used:
       ||, &&, ==, !=, <, >, <=, >=, &, |, ^, +, -.

       String variables can be compared for strict equality  with  ==  and  !=
       operators, but also matched with an extended regular expression with =~
       operator.  Strings are quoted with " (like "foo"), and regexps  with  /
       (like  /(foo|bar)/).   Note  that  regexp  matches only a subset of the
       string.  You have to surround the regexp with ^ and $ if  you  want  to
       match  the whole string (that may change in the future).  Like in Perl,
       you may add  an  optional  i  modifier  after  final  /,  to  do  case-
       insensitive pattern matching.

       Date format is one that is accepted by the getdate C function.  It must
       be enclosed in brackets [] and will be converted to  an  integer  value
       which stands for the number of seconds since the epoch (01 Jan 1970 UTC
       00:00).  See DATE FORMAT section.

       IP network can be an IP address, or an IP network  (a.b.c.d/n.o.p.q  or
       a.b.c.d/bitmask,  or  even  things  like  a.b.*.*  for  a /16 mask, for
       example).

       MAC addresses are of the  form  aa:bb:cc:dd:ee:ff.  They  can  only  be
       compared for strict equality (== and != operators).

DATE FORMAT

       The string may contain many flavors of items: calendar date items, time
       of the day items, time zone items,  day  of  the  week  item,  relative
       items,  or  pure  numbers.   As expression can be quite complex, if you
       have doubt about the dates you specified, activate global verbose  mode
       to show filter expression on stderr using absolute dates.

       Calendar date
              can  be  "1974-08-31",  "74-8-31",  "74-08-31",  "8/31/74",  "31
              August 1974",  "31  Aug  1974",  "Aug  31,  1974",  "31-aug-74",
              "31aug74".  The year can be omitted (current year is then used).

       Time of day
              can be "02:50:00", "02:50", "2:50am".

       Day of week
              can be "Sunday", "Monday", "Tuesday",  "Wednesday",  "Thursday",
              "Friday"  or  "Saturday",  but can be abbreviated to their first
              three letters.  A number may precede a day of the week  item  to
              move forward supplementary weeks.  It is best used in expression
              like ‘third monday’.  In this context, ‘last DAY’ or ‘next  DAY’
              is  also  acceptable; they move one week before or after the day
              that DAY by itself would represent.

       Relative items
              adjust a date (or the current date if none) forward or backward.
              It  can  be  "1  year",  "1  year ago", "3 years", "2 days", for
              example.  You can  also  use  "month",  "week",  "day",  "hour",
              "minute"  ("min"),  and  "second"  ("sec"),  or "now" ("today"),
              "yesterday", and "tomorrow".  The string  ‘this’  also  has  the
              meaning  of a zero-valued time displacement, but is preferred in
              date strings like ‘this thursday’.

       Pure decimal number
              precise intepretation depends on the context in the date string.
              If  the  decimal  number  is  of  the form YYYYMMDD and no other
              calendar date item appears before it in the  date  string,  then
              YYYY  is  read as the year, MM as the month number and DD as the
              day of the month, for  the  specified  calendar  date.   If  the
              decimal number is of the form HHMM and no other time of day item
              appears before it in the date string, then HH  is  read  as  the
              hour  of  the  day  and  MM  as  the minute of the hour, for the
              specified time of the day.  MM can also be omitted.

EXAMPLES

       wflogs -i netfilter -o html netfilter.log > logs.html
       converts the given netfilter log file into a HTML report.

       wflogs --sort=protocol,-time  -i  netfilter  -o  text  netfilter.log  >
       logs.txt
       converts  the  given  netfilter  log  file  into  a sorted (by protocol
       number, then reverse time) text report.

       wflogs -f$start_time >= [this 3 days ago] && $start_time  <  [this  2
       days  ago]  && $chainlabel =~ /(DROP|REJECT)/ && $sipaddr == 10.0.0.0/8
       && $protocol ==  tcp  &&  ($dport  ==  ssh  ||  $dport  ==  telnet)  &&
       ($tcpflags & SYN)-i netfilter -o text --summary=no
       shows  log  entries  (without summary) which match the given expression
       (refused connection attempts that occured 3 days ago to ssh and  telnet
       ports coming from internal network 10.0.0.0/8).

       wflogs -i netfilter --resolve=0 --whois=0 netfilter.log
       converts  the  given  netfilter  log  file  into a text report (default
       mode), disabling IP address reverse lookups and whois lookups.

       wflogs -i netfilter -o xml netfilter.log > logs.xml
       exports netfilter logs in XML.

       wflogs -i ipchains -o netfilter ipchains.log > netfilter.log
       converts ipchains logs into netfilter log format.  So you  may  process
       them  with  your  favorite netfilter log analyser, for example (even if
       the latter may not be better than wflogs itself. ;-)).

       wflogs -i ipfilter -o human --datalen=yes ipfilter.log
       produces a report about ipfilter logfile in natural language on stdout,
       displaying  packet  length  (datalen  option)  which  is  not showed by
       default.

SEE ALSO

       wfconvert(8), regex(7).

BUGS

       Bugs?  What’s  this?  ;-)  Contributions  are   welcome,   please   see
       http://wallfire.org/.

AUTHORS

       wflogs has been written by Herve Eychenne.  See http://wallfire.org/.

       This    man    page    has    been   initiated   by   Gregoire   Hubert
       <greg@coolkeums.org>, and written by Herve Eychenne.

                                 Apr 29, 2002                        WFLOGS(8)