• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

examples/H07-Nov-2018-229220

include/H07-Nov-2018-1,2681,042

m4/H07-Nov-2018-9,0608,188

mysql/H07-Nov-2018-1,6831,446

pgsql/H07-Nov-2018-1,5551,262

src/H07-Nov-2018-35,56427,329

tools/H07-Nov-2018-759651

vendor/H07-Nov-2018-2,5931,867

webfwlog/H07-Nov-2018-9,2918,331

webfwlog-vendor/H07-Nov-2018-

AUTHORSH A D09-Dec-201233 21

COPYINGH A D09-Dec-201217.6 KiB341281

CREDITSH A D09-Dec-2012270 85

ChangeLogH A D07-Nov-201813.3 KiB292263

INSTALLH A D07-Nov-20189.7 KiB210159

MakefileH A D07-Nov-201828.2 KiB897789

Makefile.amH A D07-Nov-20183.3 KiB8672

Makefile.inH A D07-Nov-201828.4 KiB897793

READMEH A D07-Nov-20187 KiB149117

README.geoipH A D07-Nov-20182.7 KiB5443

README.pdfH A D07-Nov-2018614

ReleaseNotesH A D07-Nov-20182.3 KiB5239

TODOH A D04-Nov-2018222 137

aclocal.m4H A D07-Nov-201844.8 KiB1,2731,157

ar-libH A D07-Nov-20185.7 KiB271210

compileH A D07-Nov-20187.2 KiB349259

composer.jsonH A D04-Nov-201863 65

composer.lockH A D07-Nov-20182.7 KiB7574

config.guessH A D07-Nov-201843.3 KiB1,4771,283

config.h.inH A D07-Nov-20186.9 KiB232164

config.subH A D07-Nov-201835.7 KiB1,8371,699

configureH A D07-Nov-2018516.4 KiB18,06115,192

configure.acH A D07-Nov-201813.3 KiB495453

depcompH A D07-Nov-201823 KiB792502

install-shH A D07-Nov-201814.3 KiB502327

ltmain.shH A D07-Nov-2018316.6 KiB11,1507,980

missingH A D07-Nov-20186.7 KiB216143

webfwlog.conf.inH A D07-Nov-201812 KiB344302

ylwrapH A D07-Nov-20186.7 KiB248143

README

1$Id: README 684 2018-11-07 19:26:36Z bhockney $
2(C) 2003-2018 by Bob Hockney <zeus@ix.netcom.com>
3
4Webfwlog is distributed under the terms of GNU GPL
5
6WELCOME
7
8Webfwlog is a flexible web-based analysis and reporting tool for firewall logs.
9It supports standard system logs for linux, FreeBSD, OpenBSD, NetBSD, Solaris,
10Irix, Darwin, etc. as well as Cisco and Netscreen routers, and Windows XP(R).
11Supported log file formats are netfilter, ipfilter, Cisco IOS, netscreen,
12ipfw, ipchains and Windows XP(R).  Webfwlog also supports logs stored in a
13database with the layout described in the mysql or pgsql directories, which
14is based on the layout used by the ULOG and NFLOG targets of the linux
15netfilter project. The setup scripts can also create a view to support the
16Snort IDS format.
17
18With Webfwlog you can design reports to use on your logged data in whatever
19configuration you desire.  Included are example reports as a starting point.
20You can sort a report with a single click, "drill-down" on the reports all the
21way to the packet level, and save your report definitions for later use.  You
22can also create a link to directly create a report from a saved definition.
23
24PREREQUISITES
25
26- A web server with PHP >= 4.1 with session, pcre, and pgsql or mysqli database
27    extension for your server. The deprecated mysql extension is also supported.
28    For geoip, PHP >=5.3 is required.
29- Log files in standard netfilter, ipfilter, Cisco IOS, Cisco PIX, ipfw, snort,
30    netscreen, ipchains or Windows XP(R) format, or database logs populated
31    with the Snort IDS or the ULOG and NFLOG targets of netfilter.
32- A MySQL, mariadb or PostgreSQL database server:
33    - MySQL >= 3.23.52 or any production release of 4.x or 5.x
34               for IPv6 support 5.0 or later
35    - Mariadb - any production release
36    - PostgreSQL >= 7.1
37               for IPv6 support 7.4 or later
38               for geoip support 9.1 or later
39- For full geoip support with the syslog parser libmaxminddb is required.
40- Berkeley db >= 4 is optional for performance with libmaxminddb.
41- Your favorite web browser.
42
43MYSQL AND MARIADB
44
45Mariadb is a binary compatible drop-in replacement for mysql, and is
46increasingly used in the open source community in place of mysql. Mariadb was
47forked from mysql when Oracle acquired the rights to mysql and is maintained by
48some of the original developers of mysql out of concern about the future
49direction of mysql under Oracle, particularly with respect to licensing.
50Mariadb is guaranteed to remain open source, and changes to the mysql code
51base is regularly merged into mariadb to maintain the feature set of mariadb
52with that of mysql. Webfwlog is agnostic about which program is in use and
53treats them the same. All references to mysql in the webfwlog documentation
54and configuration apply without change to mariadb.
55
56Windows XP(R) support provided via Cygwin.
57
58GEOIP
59
60Geoip version 2 lookup-only support is built in to webfwlog and only requires
61that the maxmind mmdb files be installed; full support has additional
62considerations. See README.geoip is this directory for more information.
63
64INSTALLATION
65
66See the INSTALL file for installation directions.
67
68SECURITY
69
70The database login credentials used by webfwlog are stored in the webfwlog.conf
71file which must be readable by PHP, which is probably running as the same user
72as the web server.  By default, this file is installed owned by root and with
73permissions of 644, meaning it is readable by any user.  In many installations,
74the web server runs as a specific user, such as apache or www, or this user may
75belong to a group, such as apache or www.  You may be able to somewhat secure
76the webfwlog.conf file by changing the ownership or group id of this file and
77and changing the permissions to 640 or 600.  You are strongly urged to restrict
78the permissions on webfwlog.conf as allowed by your installation.
79
80The syslog file parser is named wfwl_syslog and is installed suid root (4555)
81because it needs to be able to read system log files, which are normally only
82readable by root, and must also be executable by PHP which is probably running
83as the same user at the web server.  If the user your web server runs as
84belongs to a group such as apache or www, then you can change the gid of
85wfwl_syslog to this group and change the permissions on the binary to 4550
86to prevent regular users from executing the program.  wfwl_syslog rejects log
87lines that are not in a recognized log file format and never outputs the
88contents of the log file, only the parsed results, to prevent information leak
89from the log files.
90
91Also, any PHP script running on the web server has access to the webfwlog.conf
92file and wfwl_syslog executable.  Because of this, it is not recommended to
93run webfwlog on a system where non-trusted users can place PHP scripts
94available to the web server, and it is important that the MySQL or PostgreSQL
95user you are using for webfwlog not have more privileges than it needs.  In
96particular, the user does not need and SHOULD NOT HAVE rights to create and
97drop databases and tables other than temporary tables, and especially should
98not have the ability grant or revoke rights to other users.  It is recommended
99to use a separate database user for webfwlog.
100
101See the README in the mysql or pgsql directory for a script to set up your
102database server for use with webfwlog, including granting only the rights
103needed.
104
105USE
106
107Before starting webfwlog for the first time, you should review the installed
108webfwlog.conf file and adjust it as needed for your installation.  This
109file is well-commented.
110
111You can load webfwlog by pointing your favorite web browser to:
112
113http://<location>/webfwlog/index.php
114
115When you load the webfwlog home page, you will see a list of the report
116definitions you have previously saved, and the example report definitions if
117you imported them during setup.  You can run a report by clicking the link
118with its name in the code column, or edit one by clicking the link in the
119edit column.  You can create a new report definition by pressing the
120Report Editor button at the bottom of the list.  More documentation in on
121the home page.
122
123From an on-screen report, you can sort a column by clicking on the heading.
124You can also "drill-down" on a cell if it has a link, which will filter
125the report by the item selected.  If there is an 'Packet' column on the
126report you can click it to see all details for that logged packet.  If the
127report is summarized clicking on the number in the 'Count' column will
128display a list of the individual logged packets that make up the count,
129and from there you can drill-down to the packet details.
130
131From the report editor you can import and export report definitions, save them
132in the database for later use, or edit them.  Documentation for the report
133editor is on the report editor page.
134
135TROUBLESHOOTING
136
137If you get only part of a report output, or no output after a long time, try
138increasing the php_max_memory parameter in webfwlog.conf.  You can also try
139increasing the timeout settings.
140
141Please report bugs to zeus@ix.netcom.com.
142
143COMMENTS
144
145Please let me know what you think!  If you have questions or comments please
146email me at zeus@ix.netcom.com.
147
148Enjoy!
149

README.geoip

1$Id: README.geoip 684 2018-11-07 19:26:36Z bhockney $
2(C) 2003-2018 by Bob Hockney <zeus@ix.netcom.com>
3
4GEOIP
5
6Geoip location data based on IP is provided using maxmind's geoip databases,
7version 2, either in PostgreSQL database tables for data logged using
8PostgreSQL, or maxmind's geoip version 2 files (with a mmdb extension).
9Both the paid and free (lite) databases are supported. Version 1 (legacy) of
10geoip data is not supported.
11
12Two levels of support are available, depending upon your log data source:
13  - Lookup only, which supports all geoip data fields, but does not allow
14    filtering or sorting on geoip fields. This is available for all log data
15    sources.
16  - Full support, which does allow filtering and sorting by geoip fields. This
17    is available for file logs and postgresql database logs; mysql database
18    logs are not supported.
19
20Lookup only support is provided by the maxmind-db/reader php class, which is
21included in the webfwlog distribution tarball, and provides lookup only support
22out-of-the-box provided the maxmind database files are installed (with mmdb
23extension). While this can look up all supported fields, from all log data
24sources, filtering and sorting are not available. This is the only support
25available for logs in a mysql database. The free versions of the binary
26databases are available here (city recommended):
27
28http://dev.maxmind.com/geoip/geoip2/geolite2/
29
30Lookups using the php reader class can be slow, especially on long reports.
31Maxmind provides a php extension that can be built, and provides a performance
32improvement of an order of magnitude. The source is included in the webfwlog
33distribution in the vendor/maxmind-db/reader/ext directory. Installation
34instructions are in vendor/maxmind-db/reader/README.md. You will need the
35php development tool phpize installed.
36
37Full support for filtering and sorting by geoip fields is available for
38postgresql database logs. Maxmind provides CSV files at the above location,
39which can be imported into a postgresql database and used with database logs
40in the same database. This requires the ip4r extension to postgresql, version
412.0 or higher, to be installed and loaded. This extension is available in many
42package manager systems, or can be download from the link below. See the
43README.geoip in the pgsql directory for more information.
44
45http://pgfoundry.org/projects/ip4r
46
47Full support for filtering and sorting by geoip fields is available for file
48logs using libmaxminddb, which is available in many package manager systems,
49or the source can be downloaded from maxmind.com at the location below. You
50will need to give configure for webfwlog the --with-libmaxminddb option when
51compiling the syslog parser. See INSTALL for more information.
52
53https://github.com/maxmind/libmaxminddb
54