AuditViewer

The AuditViewer application is based on the web-audit package (see org.jwall.web.audit for details). It provides a simple cross-plattform interface for reviewing audit-log data and features several utils for handling audit-events.

Features

Currently the AuditViewer can be used to load audit-events from a wide range of sources including serial and concurrent log-files. With some restrictions due to the missing informations of simple access logs, these can be viewed, too.

For convenience, selected events can simply be extracted and saved separately. They can also be obfuscated and copied to the clipboard which simplifies sending a request to the user-list or other places for discussion without releasing any sensitive information (server-names, IP addresses, authorization).

A special feature is the Event Re-Injection which allows for recorded audit-events to be sent to the server agains. This is especially helpful if your are debugging or adjusting a ModSecurity rulesets. That way, using the Re-Injection enables you to test your rules on specific events while adjusting your ruleset. Events can also be manipulated before being sent to the server. This allows for even more flexible testing of rulesets.

• Read audit files (serial logs of ModSecurity 1.x, 2.x, Concurrent audit-logs)
• Re-inject audit-events to a specific server (for simply debugging ModSecurity rulesets)
• Manipulation of events before re-injection
• Obfuscating audit-events to files or the clipboard
• Session view (heuristic IP-based or session-id based session tracking)

There are several additional features planned for upcoming releases. If you are missing features that you would like to be included into the AuditViewer application, just let me know via e-mail: chris (at) jwall.org.

Download

There is a new version of the AuditViewer available which also supports the new ModSecurity 2.5.x format containing the K section. (This section can be used to display the list of rules which have been fired upon a request.)

Binary Release

The binary distribution of the AuditViewer is an easy-to-run Java archive which defines a Main-Class and can thus be started by double-click or by using the -jar option of your JVM as described below. The jar-archive of the AuditViewer (current version is 0.3.3) is about 777k in size and can be downloaded at:

• AuditViewer-0.3.3.jar
• A signed release: AuditViewer-0.3.3-signed.jar

For details about the signed releases see the section code signing on the security page.

Development Branch

There is a developer-release, based on the current development branch which is in active development and may thus not be fully stable (cutting edge release may be a bit overthrilling):

• AuditViewer-0.3.3.jar
• A signed release: AuditViewer-0.3.3-signed.jar

This release add some convenient features such as easily navigating events within their session-context by moving forward and backward in time.

Changes since 0.3.2

• Incorporation of the web-audit library 0.2.13, fixing some parser bugs
• Restructuring of internal architecture for easier i18n support
• This release internally uses the XStream library which makes it a little bigger (777k)

Changes since 0.3

• Includes injection with HTTPS (in testing phase - comments/suggestions welcome!)
• Parsing of audit events without a final response header

Source Code

The source code is also available:

• AuditViewer-0.3-src.zip

For building AuditViewer, simply extract the sources and run the provided ant file:

   unzip AuditViewer-0.3-src.zip
   cd org.jwall.web.audit.viewer
   ant

This will build the AuditViewer-0.3.jar archive.

Running

On most systems the viewer can be run by simply double-clicking the archive (Windows, Linux?). If double-clicking does not work, the jar-archive can be run by issuing:

   java -jar AuditViewer.jar

After the viewer has been started it allows for loading audit-log files into its table view. These can be grouped into sessions using either a heuristic session-tracker (IP+UserAgent based) or a Cookie-based one. Most of the actions that are provided to be issued on audit-events are available by right-clicking any of the events in the table.

License

So far the AuditViewer is put under the GNU Public License (GPL). If you're interested in using the library within a closed-source environment then feel free to contact me a chris (at) jwall.org.