AuditViewer

The AuditViewer application is based on the web-audit package (see org.jwall.web.audit for details). It provides a simple cross-plattform interface for reviewing audit-log data and features several utils for handling audit-events.

Features

Currently the AuditViewer can be used to load audit-events from a wide range of sources including serial and concurrent log-files. With some restrictions due to the missing informations of simple access logs, these can be viewed, too.

For convenience, selected events can simply be extracted and saved separately. They can also be obfuscated and copied to the clipboard which simplifies sending a request to the user-list or other places for discussion without releasing any sensitive information (server-names, IP addresses, authorization).

A special feature is the Event Re-Injection which allows for recorded audit-events to be sent to the server agains. This is especially helpful if your are debugging or adjusting a ModSecurity rulesets. That way, using the Re-Injection enables you to test your rules on specific events while adjusting your ruleset. Events can also be manipulated before being sent to the server. This allows for even more flexible testing of rulesets.

  • Read audit files (serial logs of ModSecurity 1.x, 2.x, Concurrent audit-logs)
  • Re-inject audit-events to a specific server (for simply debugging ModSecurity rulesets)
  • Manipulation of events before re-injection
  • Obfuscating audit-events to files or the clipboard
  • Session view (heuristic IP-based or session-id based session tracking)
  • Tree View for Alert Browsing
  • Table Customization
There are several additional features planned for upcoming releases. If you are missing features that you would like to be included into the AuditViewer application, just let me know via e-mail: chris (at) jwall.org.

Download

The binary distribution of the AuditViewer is an easy-to-run Java archive which defines a Main-Class and can thus be started by double-click or by using the -jar option of your JVM as described below. The jar-archive of the AuditViewer (current version is 0.3.4) is about 1400k in size and can be downloaded at: For details about the signed releases see the section code signing on the security page.

Running

On most systems the viewer can be run by simply double-clicking the archive (Windows, Linux?). If double-clicking does not work, the jar-archive can be run by issuing:

   java -jar AuditViewer-0.3.4.jar

After the viewer has been started it allows for loading audit-log files into its table view. These can be grouped into sessions using either a heuristic session-tracker (IP+UserAgent based) or a Cookie-based one. Most of the actions that are provided to be issued on audit-events are available by right-clicking any of the events in the table.

Changes in 0.3.4

  • Internal changes to web-audit library integrated
  • Generic table column mapping editor
  • First implementation of TreeView

Changes in 0.3.3c

  • Update of web-audit library to 0.2.15, fixing some more parser bugs
  • Fixed an issue when saving events to disk (thanks to Andreas for reporting)
  • Preparation for customized table columns (internally, will be part of the next release)
  • Some more code-cleanup, documentation
See Change-History for a list of changes in older versions.

Source Code & Building

As the interest in AuditViewer source-code is considerable small I will not provide any zip-archives of the source any more. People interested in building AuditViewer on their own still have the option to access the source via my public sub-version repository.

The AuditViewer repository is available at

https://secure.jwall.org/svn/org.jwall.web.audit.viewer/

and includes the current development branch (to be found in the trunk/-folder) as well as releases which are tagged by version number. These can be found in the branches/-folder within the repository.

Checking out the source and building AuditViewer then simply requires a recent subversion tool and the ant build-tool. The first step is to check out the sources using

   svn co https://secure.jwall.org/svn/org.jwall.web.audit.viewer/branches/0_3_3c \
       AuditViewer-0.3.3c
which will cause the svn tool to download the 0.3.3c release into a local directory called AuditViewer-0.3.3c.

After check out, building AuditViewer should be straight-forward by simply using ant:

   cd AuditViewer-0.3.3c
   ant dist
This will compile the sources and create an AuditViewer distribution file called AuditViewer-0.3.3c.jar within the directory where ant has been started.

License

So far the AuditViewer is put under the GNU Public License (GPL). If you're interested in using the library within a closed-source environment then feel free to contact me a chris (at) jwall.org.