DESCRIPTION: This is a program that will parse ipchains or netfilter (iptables) log data in real time. It will queue up a small batch of alerts and mail them to you. It can also be used to parse an existing log file and it will take log data on standard input for formatting. FEATURES: It features host name resolution and port/protocol lookups as well as icmp code/type data. It was designed to be run as a daemon process, but you can use it to output data to a terminal or to turn a logfile into something readable. Output preprocessor templates can be written to format the data any way you like. Some examples are given. HOW DOES IT WORK? Firelogd reads a FIFO (first in, first out) file that is written by syslog. Syslog writes to the pipe and firelogd is there to parse the log entry into human readable format. It will save a (BUFFERSIZE) number of log alerts and mail them to you when the threshold is reached. This will not change anything about your current log setup, but it will make it easier to review and respond to security threats. If nothing else, you will end up *actually reading* your firewall log entries. TABLES AND CHAINS TOGETHER: Firelogd does not care what kind of log data it is given. It will figure it out as soon as a log line matches an internal regular expression. Once a line matches for iptables or ipchains log data, it will stop trying to match the other. If you are in a mixed logging environment (running a log server or testing both chain and table configurations) you can use the "-m" option to cause the program to keep trying to match both types of data. This imposes a performance penalty, so don't use it unless you need it. INSTALLATION: Read the file QUICKSTART for information on building and installing firelogd. The sources should build on any system with a compiler and semi-recent libs. RPM's are available at the download site.
Web Based Log Parser
The distribution includes an example (decode.php) of how you can use firelogd to parse log data without running it as a daemon. It is also a good example of how to use the output template feature.
If you read this far down the page, then you have probably decided that you want to have your firewall logs presented to you in a format that YOU like. Firelogd was designed to let you choose how to present the data. This is done with an output template file. Read the manpage or README that comes with the distribution for more information on formatting your template. Some people might like to have the logs VERBOSE, others might like the information to be very CONCISE. Either way, you can choose what is presented. If you write a nifty template, please share it by submitting it to the author