welf2dlf(1) convert firewall logs in WebTrends Enhanced Log Format to DLF


welf2dlf file


welf2dlf converts firewall logs in the WebTrends Enhanced Log Format into the firewall DLF.

That format is defined at the following URL: http://www.netiq.com/partners/technology/welf.asp

This converter also supports the SonicWall extensions.

A list of firewall products that supports that format can be found at the following URL: http://www.netiq.com/products/fwr/compatible.asp


Since the firewall DLF only supports packet filters, not all records will be mapped to DLF.

Dropped packets messages (those with a field msg=``XXX packet dropped'') will be mapped to denied DLF packet. (As well as all msg=``TCP connection dropped'' records). Those packets will have a length of 0 (that's a limitation of the format which don't log that information on dropped packet).

Messages with a proto= field set will be interpretted as ``permitted'' ``packet''. That's not exactly ``right'' because this message really represent a ``packets flow'' and not a single packet.

Other records will be ignored.

You may use the welf_proxy service in the proxy superservice to extract proxy level information from WELF logs.


To process a log as produced by WebTrends:

 $ welf2dlf < welf.log

welf2dlf will be rarely used on its own, but is more likely called by lr_log2report:

 $ lr_log2report welf < /var/log/welf.log


Mark D. Nagel, for giving feedback and supplying patches.


Francis J. Lacoste <[email protected]>


$Id: welf2dlf.in,v 1.14 2006/07/23 13:16:35 vanbaal Exp $


Copyright (C) 2001 Stichting LogReport Foundation [email protected]

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program (see COPYING); if not, check with http://www.gnu.org/copyleft/gpl.html.