Section: User Manuals (1)
Updated: Aug 2006
klogwatch - Netfilter packet monitor
klogwatch [-d] [-k] [-p] [-f
is a simple monitor that watches a file for netfilter log messages.
When a new log message appears, klogwatch will show an "alert" icon in
the System Tray. Hovering over the system tray icon will show the
number of new and total packets logged. Clicking on the icon will
toggle the main window.
The main window offers a number of functions. The central view shows
a list of log entries. Right clicking on the column headers will
allow a user to set which columns to display. Columns may also be
resized, reordered, and sorted to suit the user's needs. These
settings will be remembered on restart.
When a new log entry is detected, it will appear in the list in
boldface. Clicking on an entry or hiding the window will cause the
entry to lose its "new" status.
Double-clicking on an entry will perform a configurable action. This
defaults to resolving the source's hostname.
Right clicking on an entry will allow users choose among several
actions to perform. Many of these actions will only appear when their
related columns are displayed.
If the standard actions do not suit a user's needs, a user may
configure klogwatch to execute a custom command or script. When the
custom command is run, klogwatch captures stderr and stdout and
displays them as the program executes.
Log entry information is passed to the command as shell environment
variables. The following environment variables are defined:
Contains the date of the packet.
Contains the time of the packet.
Contains the log prefix of the packet, if available.
Contains the incoming interface of the packet.
Contains the outgoing interface of the packet.
Contains the MAC address of the packet.
Contains the protocol string of the packet.
Contains the source IP address of the packet.
Contains the source port of the packet.
Contains the destination IP address of the packet.
Contains the destination port/service of the packet, or the packet
type for ICMP. This is interpreted using /etc/services to a service
name where available.
Contains the TCP FLAGS set in the packet. These are a concatenated
string of names of the flags from the log. Possible flags are URG ACK
PSH RST SYN and FIN.
Contains the original log message from the watched file.
Debug. This option prevents klogwatch from running in the background.
It will display the main window and produce a trace of the program's
actions on standard output.
- -f logfile
Log File. This option selects which file to monitor for iptables log
entries. This option overrides overrides and updates the logfile in
the setup dialog.
Kill klogwatch. This option causes a running klogwatch to quit. This
is also useful to run at the end of an online session.
Popup a window. This option causes a running klogwatch to popup the
main window even though a new log entry was not detected. This is
useful at the end of a session to review intercepted log entries.
The user's configuration file. The file is modified by the Setup
options are used, klogwatch will exit with code 0 if the succeeded or
1 otherwise. Klogwatch is a KUniqueApplication, so it will exit with
code 0 if the
option is used and there is already an instance running.
Klogwatch can identify when a log-rotation occurs (see logrotate (8)),
and continues to monitor the file as long as the name of the latest
file does not change. Alternative log rotation systems, which change
the name of the latest file, cannot be monitored past a log rotation.
Report other bugs to the current maintainter.