I was sitting at home the other day going through the log files for the Windows XP SP2 firewall (as you do for want of something more stimulating) and thought you might like to know about the utilities I use and have found for parsing these files. Please be aware of the default location & name of the files: c:\windows\pfirewall.log and the fact that by default the logging is turned off, with a default file size of 4MB.
The two programs I have found most useful for stand alone machines are:
The first is by a Partnership called 2BrightSparks. They have a number of pieces of excellent software and included in this list is FireLogXP: http://www.2brightsparks.com/freeware/freeware-hub.html. This software allows you to parse the log file easily to see what is going on.
The second is a firewall reader that just makes viewing your logs easier: XP Log reader http://www.winxpcentral.com/windowsxp/fwlog.php
Lastly I found this software a while ago: ICFMaster http://www.tlhouse.co.uk/LogMeister/icfmeister_info.shtml. It is great as it will collect flogs and perform alerting etc from multiple machines. It is not freeware, but well worth the US$20 fee.
Let us all know if you find or use any other useful tools..
Since the XP firewall log uses the standard W3C log format you can also use the Log Parser from the IIS 6 resource kit (found here: http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&displaylang=en). This will give you command line tool and a COM API you can use to pull information out of your log file using a SQL like syntax. You can also use it to convert the log file from one format to another including putting it in a database. Using this you could easily make your own tools using the COM API or get some interesting data out of it using the command line tool.
Just an example… This would give you all of the web sites you’ve visited that are still in the log
logparser -i:W3C "select date, time, dst-ip, reversedns(dst-ip) from C:\Windows\pfirewall.log where protocol='TCP' and dst-port=80"
This is the same query but instead of returning the results to the console window it will put the results in a CSV file called pfirewall.csv in your working directory.
logparser -i:W3C -o:CSV "select date, time, dst-ip, reversedns(dst-ip) from C:\Windows\pfirewall.log to pfirewall.csv where protocol='TCP' and dst-port=80"
It’s a fun little tool to play with (I think) so I figured I would share…
THANK YOU FOR POSTING THIS!!