Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: What is your firewall log telling you - responses - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What is your firewall log telling you - responses

Responses to our earlier diary entries regarding firewall log parsing (story1 and story2) have been trickling in. 

Reader Matthias has some small awk/shell scripts for parsing iptables log files that he shared here:

And reader Christian recommends using Prelude LML (log monitor lackey):

Update #1: An anonymous reader also suggests .

-Kyle Haugsness


112 Posts
Mar 5th 2010
I use FWAnalog
Its a branch off Analog for system log Analysis.

Though there is some stuff missing like Destination Port stats...this gives me a visual of whats going on.

Checking out some of the suggestions above definitely.


65 Posts
Another really nifty trick is to exclude (grep -v) your permit/deny entries in the logs and the remaining logs can show some interesting info. In the case of an ASA, exclude built/teardowns/accept/denies, shows interfaces going up/down, inspection proxy exceptions, among other things. A very useful search..

Sign Up for Free or Log In to start participating in the conversation!