KLogWatch
System Software
Score 78%
Description:

KLogWatch sits in the system tray and monitors a kernel log file for Netfilter (ie. iptables) log lines. Clicking on the System Tray icon opens up a window with a history of all the logged packets. Users can then perform basic operations on the packet information (whois, traceroute, host, etc.).
Last changelog:

13 years ago

Version 2.0.3:
Do proper column sorting on addresses and ports.

Version 2.0.2:
Be sure to save config when a session closes
Add ping command
Actually use dest IP address when doing traceroute on dest IP
Allow use of $(DESTDIR) during installation. Thanks to Tiziano Mueller for the initial patch.

Version 2.0.1:
Fixed error message reporting of an invalid logfile

Version 2.0:
New features:
* New columns to account for all netfilter log info
* Select which columns to see
* Column size and order saved
* Window size and position saved
* Right mouse button actions
* Adjustable print font
* Can now print/save window contents or raw log messages

Changes:
* Some code cleanups; more on the way
* Changing configuration does not require restart
* Desktop file installed automatically
* Removed popup on alert action; all alerts appear in the tray
* Debian package files and RPM spec file included

Version 1.8.4:

Fixed bug in Save As option
New cleaner icons
Added uninstall make target

Version 1.8.3:

Corrected to work properly when log-rotation occurs
Use proper KDE config file location
(Copy your ~/.klogwatch to ~/.kde/share/config/klogwatchrc).
Don't scroll down to new packets if window already visible

Version 1.8.2:

Corrected "parsed == false" assertion failure on startup under latest KDE versions.

Version 1.8.1:

Fixed SIGABRT Mandrake problem where /var/log/kernel is a directory

Version 1.8:

Fixed the autoconf system for Fedora/Mandrake/Debian
Added sort by destination port
Lookup protocol numbers in /etc/protocols to give names

TrashOverride

9 years ago

just the thing i was looking for.
One question though, it says that /var/log/kernel is not found (and i dont have it). I tried dmesg, messages.1, syslog.1, but none when they are loaded nothing is shown...
i'm using slackware 12, kernel 2.6.23.12, kde 3.5.7

Report

TrashOverride

9 years ago

Never mind the last one, FIXED.
i used syslog.1 instead of syslog.

Report

pupil

11 years ago

RPM for SLED 10:
http://donnie.110mb.com/downloads.php?cat_id=2

For GPG key, please look at the front page of my site.

Report

pupil

11 years ago

RPM updated to v2.0.2

Report

C

jstamp

11 years ago

We also have an rpm available on the SourceForge site. Nick compiled that one on Suse 10.1, I think.

Best,
John

Report

nickbattle

11 years ago

Yes, my RPM was built on SUSE 10.1. It's probably very similar to the SLED one though.

Report

papa

11 years ago

Could you tell me the name of those fonts, which are appear on the setup's pictures?

Report

nickbattle

11 years ago

The font in the sample pictures is called "Misc Fixed" (12pt). I don't know where it came from, but I'm using SuSE 10.1 and I believe it came with the distro.

Fixed fonts are nicer for klogwatch because thnigs like IP addresses line up.

HTH,
-nick

Report

EliasP

11 years ago

It would be nice to have remote support included, so I could watch the logfiles on my servers.

Report

nickbattle

11 years ago

Yes, I can see how that would be useful. But I'd need to build some sort of remote protocol into klogwatch - really that should be done "outside".

I've not tried, but it should work via an NFS mount. The program itself only knows about a "file" that contains the logs.

Report

EliasP

11 years ago

I thought about doing this using NFS, too.
But that's too unsecure for some environments. Maybe you find a solution using the KDE kio SSH (fish) implementation.

Regards,

Elias P.

Report

nickbattle

11 years ago

I'll look into this. Presumably it should be possible to set up some sort of ssh tunnel - I just don't know enough about it to say. Thanks for the suggestion anyway.

Report

C

jstamp

11 years ago

Going through the fish kioslave was my first thought too, but I don't know off the top of my head how well it would work to stat and tail a remote file like that.

How do you currently do remote logging? There's info out there about how to set up syslog or syslog-ng to securely receive remote log events. I haven't tried it, but I suspect that klogwatch would be able to pick up those alerts in that kind of setup.

Report

starseeker

12 years ago

Apologies if this is off topic, but is there any chance this app could support snort's analysis of potential attacks, or in some other fashion alert the user if a potential attack is detected? I'm thinking klogwatch would be the perfect tool to combine with guarddog and whatever other security tools are appropriate and create a clone of the Zonealarm experience. Is this possible?

Report

nickbattle

12 years ago

Technically, this probably would be possible, but it's a very different task to the one KLogWatch is currently doing - at the moment, it is simply displaying intercepted packets. There is no attempt to interpret the packets or look for patterns of activity that might indicate an attack.

Report

mattepiu

12 years ago

Would be great, but this would need merging this project with a firewall configurator (eg: Kmyfirewall) and could
not, however, select which packet to allow
"on the fly" (since logging is done on dropped packets...)

Report

huru

13 years ago

Hi, I just installed KlogWatch on my Gentoo today. Compile & Install went fine and program works ok when I start it, however, after a while (can't tell exactly how long) it seems to stop monitoring. When first started, rejected packets get shown correctly, but then suddenly there's nothing. After restart events get detected properly again. Any ideas what might cause that?

And one suggestion: How about adding possibility to configure which events should trigger popup (or system tray) alarm? I don't really care about those gazillions of windows network messages that tend to be blocked :) Then again I guess I could just not log them but would be a nice addition anyway. Thanks for nice piece of software!

Report

nickbattle

13 years ago

Hi,

It shouldn't stop monitoring (of course!). How do you know that it's not monitoring the file - new events not registering? If you run KLogWatch from the command line, and use -d (debug), is there any extra information? You should see a "." printed every time it checks the logfile for new content (the Poll interval).

I like the other idea. How to specify what you do/don't want to see though. Just by port/protocol?

Report

huru

13 years ago

I tried running from command line with -d option as you suggested, looks like program is still running and sort of monitoring the logfile, ie. "." gets printed to stdout every second (poll interval set to one second). However, events do not get shown after a certain period. There's no errors or anything printed. Ie. I can ping the host and ping events do get logged in logfile, but there's no feedback of any kind in klogwatch, seems it simply won't recognise the event.

Report

nickbattle

13 years ago

OK, I'll try to reproduce it here. To be honest, I might not notice if it stopped monitoring events - these days, you get so many events blocked that I tend to just ignore them all (turn it off, or pause it for 20 minutes).

Report

nickbattle

13 years ago

If it's possible, can you give me a logfile that spans the period when it was working, and includes some packets at the end that are not recognised? If you just tell me the last packet from the log that was found, I can see if there's anything after that (perhaps from another source) that might throw it.

Can you mail it to me home address (the freeuk.com address on my profile here, or in the Help panel of the program). Gzipped would help - modem I'm afraid :-)

Report

nickbattle

13 years ago

I don't suppose you have log-rotation configured? Some systems have cron jobs that archive old logs, delete very old logs, and start fresh ones every so often.

I'd not thought about this before, but if that happens - so a particular logfile (inode) is no longer being written to - then of course the program wouldn't notice (and I should try to do something about it, like close and re-open the file by name every so often!)

Report

nickbattle

13 years ago

OK, should all be fixed in 1.8.3. The code didn't take account of log-rotation.

Report

xcallejas

13 years ago

Hi. good work!
just a question (i don't know if is a stupid one), I use Linux SmoothWall in my gateway (in a i386 oldi) and I really need to monitor the logs of iptables, but this box don't have any graphics lib. or something like.
What can I do to compile this program for this kind of distribution and run it in my X11 linux desktop via ssh???

thankyou.

Report

nickbattle

13 years ago

Hi Xavier,

KLogWatch just tails a file, so if you can dynamically pull your Netfilter log files back to the graphical machine, KLogWatch will "watch" them for you. I don't know much about ssh and whether it's possible to spool a file continuously between machines like this. Obviously something like an NFS mount should work.

Once you've got the file "coming over", you point KLogWatch at it with the -f option (or use the setup menu to change the monitored file).

You may really want to find a static log analyiser - ie. one which looks at the logs on a regular basis (say every day) rather than dynamically watching the log file? There are other log tools which do this.

HTH,

Report

13 years ago

Version 2.0.3:
Do proper column sorting on addresses and ports.

Version 2.0.2:
Be sure to save config when a session closes
Add ping command
Actually use dest IP address when doing traceroute on dest IP
Allow use of $(DESTDIR) during installation. Thanks to Tiziano Mueller for the initial patch.

Version 2.0.1:
Fixed error message reporting of an invalid logfile

Version 2.0:
New features:
* New columns to account for all netfilter log info
* Select which columns to see
* Column size and order saved
* Window size and position saved
* Right mouse button actions
* Adjustable print font
* Can now print/save window contents or raw log messages

Changes:
* Some code cleanups; more on the way
* Changing configuration does not require restart
* Desktop file installed automatically
* Removed popup on alert action; all alerts appear in the tray
* Debian package files and RPM spec file included

Version 1.8.4:

Fixed bug in Save As option
New cleaner icons
Added uninstall make target

Version 1.8.3:

Corrected to work properly when log-rotation occurs
Use proper KDE config file location
(Copy your ~/.klogwatch to ~/.kde/share/config/klogwatchrc).
Don't scroll down to new packets if window already visible

Version 1.8.2:

Corrected "parsed == false" assertion failure on startup under latest KDE versions.

Version 1.8.1:

Fixed SIGABRT Mandrake problem where /var/log/kernel is a directory

Version 1.8:

Fixed the autoconf system for Fedora/Mandrake/Debian
Added sort by destination port
Lookup protocol numbers in /etc/protocols to give names

product-maker 21 88

File (click to download) Version Description Filetype Packagetype License Downloads Date Filesize OCS-Install DL
Details
version
2.0.3
updated Dec 17 2006
added Jan 28 2004
downloads today
0
page views today 0