Search
Sponsors
| 30 Nov '04 - 14:09 | kenneth van surksum XP Firewall log parsing
The Windows XP SP2 firewall log is located at %windir%\pfirewall.log. Since this log file is compliant with the W3C log format there are some tools which you can use to parse these logfiles.a. The first is by a Partnership called 2BrightSparks. They have a number of pieces of excellent software and included in this list is FireLogXP. This software allows you to parse the log file easily to see what is going on.
b. The second is a firewall reader that just makes viewing your logs easier: XP Log reader
c. The Log Parser from the IIS 6 resource kit. This will give you command line tool and a COM API you can use to pull information out of your log file using a SQL like syntax.
NewsSource: Bruce Cowper's Weblog
You can also use the Log Parser from the IIS 6 resource kit to convert the log file from one format to another including putting it in a database. Using this you could easily make your own tools using the COM API or get some interesting data out of it using the command line tool.
Just an example:
This would give you all of the web sites you’ve visited that are still in the log:
logparser -i:W3C "select date, time, dst-ip, reversedns(dst-ip) from C:\Windows\pfirewall.log where protocol='TCP' and dst-port=80"
This is the same query but instead of returning the results to the console window it will put the results in a CSV file called pfirewall.csv in your working directory:
logparser -i:W3C -o:CSV "select date, time, dst-ip, reversedns(dst-ip) from C:\Windows\pfirewall.log to pfirewall.csv where protocol='TCP' and dst-port=80"