jess LAND
        Sponsored by:       
One eSecurity
JISK Knowledgebase >>    About    News    Essentials    Architecture    FWs    IDS/IPS    Honeypots    Malware    Forensics   
  +  JSS Home    Projects    JSS Community    Events    News    Docs    About    Contact .

JISK > IDS IPS > Log Analysis > Tools IDS_IPS Section Map

Log Analysis, SIM & SEM Tools

Content Leader: Jess Garcia - Last Updated: October 19, 2007

Windows Event Log / Syslog


Clients / Agents

  • Lasso - Windows-based open source software designed to collect Windows event logs, including custom application logs, and provide central collection and transport of Windows log data via TCP syslog to any syslog-NG compatible log receivers.
  • Winlogd - Syslog client for Windows that allows the Event Log to talk to syslog.
  • Snare Agent for Windows - Event logs from the Security, Application and System logs, as well as the new DNS, File Replication Service, and Active Directory logs are converted to text format, and delivered to a remote Snare Server, or to a remote Syslog server with configurable and dynamic facility and priority settings.
  • Monitorware EventReporter - It forwards Syslog messages to a central Syslog server.
  • evtsyslog - Windows syslog client
  • NTsyslog - Windows syslog client (although functional in most Windows platforms, its seems discontinued).

Event Log Readers

  • GrokEVT - Collection of python scripts built for reading Windows® NT/2K/XP/2K3 event log files.


  • Kiwi Log Tools - Set of syslog and event log related tools (daemon, viewer, etc.)

Logging - Advanced / Remote / Centralized

  • msyslog -
  • sdscsyslog - Modern reliable replacement for syslogd. It supports the new syslog protocols (RFC 3195) providing support for reliable delivery as well as the older UDP base protocol for backwards compatability.
  • syslog-ng - Provides a centralised, securely stored log of all devices on your network, filtering based on message content, customisable data mining and analysis capabilities, etc. The premium version includes a Windows agent.

Manual Log Analysis

Automated Log Analysis, Correlation & SEM/SIM

Open Source

  • LoGS -
  • Logias -
  • LogMonitor -
  • Logrep-
  • newlogcheck -
  • openSIMS - OpenSIMS ties together NMap, Snort, and other open source tools into a Security Infrastructure Management System.
  • Php-syslog-ng -
  • SEC - (Simple Event Correlador).
  • Splunk - Splunk indexes and links together ALL of the data constantly being logged by ANY service, application or device within your data center, regardless of source or format.
  • Sisyphus - Machine-learning analysis system which enables content-novice analysts to efficiently understand evolving trends, identify anomalies, and investigate cause-effect hypotheses in large multiple-source event log sets.
  • swatch -


  • ArcSight
  • CA - eTrust Security Command Center
  • Cisco SIMS
  • Consul
  • eIQ Enterprise Security Analyzer
  • GuardedNet
  • IBM TSOM - Tivoli Security Operations Management Platform
  • Intellitactics
  • LogICA
  • LogLogic
  • MicroMouse
  • NetForensics
  • NetIQ
  • RSA Envision (formerly Network Intelligence)
  • Novell Sentinel (formerly eSecurity)
  • OpenService Security Management Center
  • Q1 Labs QRadar
  • Quest InTrust
  • Sawmill
  • S21Sec - Bitácora
  • SenSage SIM
  • Symantec Security Information Manager
  • Tenable Security Center
  • Trigeo

Firewall Log Analysis

  • fwanalog - Shell script that parses and summarizes firewall logfiles.
  • fwLOGview - Graphical logviewer for firewalls. Supports Linux netfilter/iptables, CISCO PIX, *BSD ipfilter and Fortigate.
  • fwlogwatch - Packet filter / firewall / IDS log analyzer which supports a lot of log formats and has many analysis options.
  • hatchet - Log parsing and viewing utility for OpenBSD's PF
  • IPTables log analyzer - Displays Linux 2.4 iptables logs (rejected, acepted, masqueraded packets...) in a nice HTML page (it support rough netfilter logs but also Shorewall and Suse Firewall logs).
  • PSAD - Collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze Netfilter log messages to detect port scans and other suspicious traffic.
  • ScanAlert - Analyzes iptables log entries in real time and report detected port scans to syslogd.
  • wflogs - Firewall log analysis tool. It can be used to produce a log summary report in plain text, HTML and XML, or to monitor firewalling logs in real-time.

Web Log Analysis

  • Arania - Tool to analize your web logs searching for remote code inclusion, and download de code, hash it for future analysis.

Copyright © 2000-2008 Jessland - Jess Garcia's Website - All rights reserved.