Firewall Log Daemon - firelogd

Firelogd is a daemon which monitors Linux firewall logs.

The official home page and download site is here.


If you run snort you can use snortmail to perform real-time notification of snort alerts.


Pcap Dump for Linux/Netfilter QUEUE - pdumpq
Dump packets from Netfilter's QUEUE target to a file that tcpdump, ethereal and snort can read.
Please contact The Author if you have any problems with this web page or the software it describes.

You need iptables(netfilter/2.4 kernels) or ipchains to use firelogd.
Download Latest Sources
Download Latest RPM
Download Latest SRPM (source RPM)

Old Versions

QUICKSTART - Installation Instructions
README - Program Description and Usage
The Man Page

What Does It Do

This is a program that will parse ipchains or netfilter (iptables)
log data in real time. It will queue up a small batch of alerts and mail
them to you. It can also be used to parse an existing log file and it will
take log data on standard input for formatting.

It features host name resolution and port/protocol lookups as well as icmp
code/type data. It was designed to be run as a daemon process, but you can
use it to output data to a terminal or to turn a logfile into something
readable. Output preprocessor templates can be written to format the data
any way you like. Some examples are given.

Firelogd reads a FIFO (first in, first out) file that is written by syslog.
Syslog writes to the pipe and firelogd is there to parse the log entry into
human readable format. It will save a (BUFFERSIZE) number of log alerts and
mail them to you when the threshold is reached. This will not change anything
about your current log setup, but it will make it easier to review and respond
to security threats. If nothing else, you will end up *actually reading* your
firewall log entries.

Firelogd does not care what kind of log data it is given. It will figure it
out as soon as a log line matches an internal regular expression. Once a line
matches for iptables or ipchains log data, it will stop trying to match the 

If you are in a mixed logging environment (running a log server or testing 
both chain and table configurations) you can use the "-m" option to cause the
program to keep trying to match both types of data. This imposes a performance
penalty, so don't use it unless you need it.

Read the file QUICKSTART for information on building and installing firelogd.
The sources should build on any system with a compiler and semi-recent libs.

RPM's are available at the download site.

Web Based Log Parser

The distribution includes an example (decode.php) of how you can use firelogd to parse log data without running it as a daemon. It is also a good example of how to use the output template feature.

Output Templates

If you read this far down the page, then you have probably decided that you want
to have your firewall logs presented to you in a format that YOU like. Firelogd
was designed to let you choose how to present the data. This is done with an
output template file. Read the manpage or README that comes with the distribution
for more information on formatting your template.

Some people might like to have the logs VERBOSE, others might like the information
to be very CONCISE. Either way, you can choose what is presented. If you write a
nifty template, please share it by submitting it to the author