adcfw-log(1): - Linux man page

NAME

adcfw-log: firewall logs analyzer/summarizer

SYNOPSIS

adcfw-log [ -h | --version ] adcfw-log [ OPTIONS ] [ logfile ]

adcfw-log is a tool for analyzing firewall logs in order to extract meaningful information. It is designed to be a standalone script with very few requirements that can generate different kinds of reports, such as fully formatted reports of what had been logged, with summaries by source or destination host, the type of service, or protocol. There are also options to filter the input data by date, host, protocol, service, and so on.

Only netfilter log format is supported at this time.

FEATURES

These are the features currently provided by adcfw-log

*: support for netfilter log format
*: log entries filtering based on protocol, source host, destination host, service, prefix, input and output interfaces
*: reports based on protocol, source or destination host, service
*: summaries based on source host, destination host, prefix and service

OPTIONS

--detailed: Print a more detailed summary. Requires option -s and is meaningless in report context.
-h, --help: Prints help.
--in-interface <interface>: Analyze only packets received from interface <interface>.
--out-interface <interface>: Analyze only packets transmitted through interface <interface>.
--prefix <prefix>: Filter log entries on user defined prefix basis. <prefix> must exactly matches the prefix associated with the log entry; match is case sensitive.
--protocol <protocol>: Filter log entries on a protocol basis. Legal values are tcp, udp, icmp.
-r, --report <report>: Prints the specific report. See section AVAILABLE REPORTS below for a list of legal values for this option.
-s, --summary <summary>: Prints the specific summary. See section AVAILABLE SUMMARIES below for a list of legal values for this option.
--service <port num>: Analyze only entries with <service> as destination port.
--source-host <host>: Analyze only entries with <host> as source host. Host must be specified in xxx.xxx.xxx.xxx format.
--version: Prints version number.

AVAILABLE REPORTS

raw: This is a protocol independent report. Includes date, source and destination hosts, source and destination ports, input and output interfaces, protocol. This is the default report.
source_host: This is a protocol independent report based on source host. Informations are grouped by source host, including date, source and destination ports, destination host, input and output interfaces, protocol and additional tcp flags or icmp type (where applicable).
destination_host: This is a protocol independent report based on destination host. Informations are grouped by destination host, including date, source and destination ports, source host, input and output interfaces, protocol and additional tcp flags or icmp type (where applicable).
service: This a service based report. Informations are grouped by service, including date, input and output interfaces, source host and port, destination host, protocol and tcp flags information (if applicable). Only tcp and udp packets are displayed.

AVAILABLE SUMMARIES

source_host: This is a source host based summary. A total packet count is printed for each host. The detailed version reports the destination host and service/icmp type too.
destination_host: This is a destination host based summary. A total packet count is printed for each host. The detailed version reports the source host and service/icmp type too.
prefix: This is a prefix based summary. A total packet count is printed for each prefix. The detailed version of the summary reports the source and destination hosts as well.
service: This is a service based summary. A total packet count is printed for each service. The detailed version of the summary reports the source and destination hosts too. Only tcp and udp packets are reported.