DESCRIPTIONwelf2dlf converts firewall logs in the WebTrends Enhanced Log Format into the firewall DLF.
That format is defined at the following URL: http://www.netiq.com/partners/technology/welf.asp
This converter also supports the SonicWall extensions.
A list of firewall products that supports that format can be found at the following URL: http://www.netiq.com/products/fwr/compatible.asp
IMPLEMENTATION NOTESSince the firewall DLF only supports packet filters, not all records will be mapped to DLF.
Dropped packets messages (those with a field msg=``XXX packet dropped'') will be mapped to denied DLF packet. (As well as all msg=``TCP connection dropped'' records). Those packets will have a length of 0 (that's a limitation of the format which don't log that information on dropped packet).
Messages with a proto= field set will be interpretted as ``permitted'' ``packet''. That's not exactly ``right'' because this message really represent a ``packets flow'' and not a single packet.
Other records will be ignored.
You may use the welf_proxy service in the proxy superservice to extract proxy level information from WELF logs.
EXAMPLESTo process a log as produced by WebTrends:
$ welf2dlf < welf.log
welf2dlf will be rarely used on its own, but is more likely called by lr_log2report:
$ lr_log2report welf < /var/log/welf.log
THANKSMark D. Nagel, for giving feedback and supplying patches.
AUTHORSFrancis J. Lacoste <[email protected]>
VERSION$Id: welf2dlf.in,v 1.14 2006/07/23 13:16:35 vanbaal Exp $
COPYRIGHTCopyright (C) 2001 Stichting LogReport Foundation [email protected]
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program (see COPYING); if not, check with http://www.gnu.org/copyleft/gpl.html.