# PF log parser



## anomie (Apr 15, 2009)

Can someone recommend a program/script in FreeBSD's Ports that will analyze /var/log/pflog on a daily basis and provide me with a functional report? I don't care whether the report is plain text or html, so long as I get the info I need. 

I'm primarily interested in the following details: Allowed traffic - to include SRC/DST IP and SRC/DST port, and protocol. (My PF ruleset supports gathering this information with the *log* directive.) 

A quick bit of searching, and I've found: 

 hatchet : Not in Ports
 fwanalog : Doesn't seem actively maintained
 A mishmash of other unmaintained suggestions and expired URLs

Please note that the *periodic* script 520.pfdenied is not sufficient for my needs. (I want to see allowed packets as described above.) I'd also prefer to not re-invent the wheel by writing something from scratch. 

Any ideas?


----------



## vivek (Apr 15, 2009)

You need to use pfstat for graphing PF performance data - http://www.benzedrine.cx/pfstat.html
I also used fwanalog and it works too.

Other tools 

tcpdump good for viewing logs in real time.
pfctl for viewing performance counters.
pftop for viewing active connections.


----------



## anomie (Apr 15, 2009)

Nyet on the pfstat, tcpdump, pfctl, and pftop suggestions. Those are good tools, but don't meet my reporting needs (described above). 

_However_, maybe I underestimated security/fwanalog. Its project page hasn't been updated since '05, but the Port commit history shows updates in '07. Maybe it is not abandoned after all.  

I'm going to give it a go.


----------



## anomie (Apr 24, 2009)

Update: Long story short -- fwanalog is not going to cut it. I rolled my own reporting tool and shared it here.


----------

