klogwatch logoKLogWatch


Section: User Manuals (1)
Updated: Aug 2006


klogwatch - Netfilter packet monitor


klogwatch [-d] [-k] [-p] [-f logfile ]


klogwatch is a simple monitor that watches a file for netfilter log messages. When a new log message appears, klogwatch will show an "alert" icon in the System Tray. Hovering over the system tray icon will show the number of new and total packets logged. Clicking on the icon will toggle the main window. The main window offers a number of functions. The central view shows a list of log entries. Right clicking on the column headers will allow a user to set which columns to display. Columns may also be resized, reordered, and sorted to suit the user's needs. These settings will be remembered on restart. When a new log entry is detected, it will appear in the list in boldface. Clicking on an entry or hiding the window will cause the entry to lose its "new" status. Double-clicking on an entry will perform a configurable action. This defaults to resolving the source's hostname. Right clicking on an entry will allow users choose among several actions to perform. Many of these actions will only appear when their related columns are displayed.

Custom Actions

If the standard actions do not suit a user's needs, a user may configure klogwatch to execute a custom command or script. When the custom command is run, klogwatch captures stderr and stdout and displays them as the program executes. Log entry information is passed to the command as shell environment variables. The following environment variables are defined:
Contains the date of the packet.
Contains the time of the packet.
Contains the log prefix of the packet, if available.
Contains the incoming interface of the packet.
Contains the outgoing interface of the packet.
Contains the MAC address of the packet.
Contains the protocol string of the packet.
Contains the source IP address of the packet.
Contains the source port of the packet.
Contains the destination IP address of the packet.
Contains the destination port/service of the packet, or the packet type for ICMP. This is interpreted using /etc/services to a service name where available.
Contains the TCP FLAGS set in the packet. These are a concatenated string of names of the flags from the log. Possible flags are URG ACK PSH RST SYN and FIN.
Contains the original log message from the watched file.


Debug. This option prevents klogwatch from running in the background. It will display the main window and produce a trace of the program's actions on standard output.
-f logfile
Log File. This option selects which file to monitor for iptables log entries. This option overrides overrides and updates the logfile in the setup dialog.
Kill klogwatch. This option causes a running klogwatch to quit. This is also useful to run at the end of an online session.
Popup a window. This option causes a running klogwatch to popup the main window even though a new log entry was not detected. This is useful at the end of a session to review intercepted log entries.


The user's configuration file. The file is modified by the Setup dialog.


If the -p, or -k options are used, klogwatch will exit with code 0 if the succeeded or 1 otherwise. Klogwatch is a KUniqueApplication, so it will exit with code 0 if the -f option is used and there is already an instance running.


iptables (8), logrotate (8)


Klogwatch can identify when a log-rotation occurs (see logrotate (8)), and continues to monitor the file as long as the name of the latest file does not change. Alternative log rotation systems, which change the name of the latest file, cannot be monitored past a log rotation. Report other bugs to the current maintainter.