The AuditViewer application is based on the web-audit package (see org.jwall.web.audit for details). It provides a simple cross-plattform interface for reviewing audit-log data and features several utils for handling audit-events.
FeaturesCurrently the AuditViewer can be used to load audit-events from a wide range of sources including serial and concurrent log-files. With some restrictions due to the missing informations of simple access logs, these can be viewed, too. For convenience, selected events can simply be extracted and saved separately. They can also be obfuscated and copied to the clipboard which simplifies sending a request to the user-list or other places for discussion without releasing any sensitive information (server-names, IP addresses, authorization). A special feature is the Event Re-Injection which allows for recorded audit-events to be sent to the server agains. This is especially helpful if your are debugging or adjusting a ModSecurity rulesets. That way, using the Re-Injection enables you to test your rules on specific events while adjusting your ruleset. Events can also be manipulated before being sent to the server. This allows for even more flexible testing of rulesets.
- Read audit files (serial logs of ModSecurity 1.x, 2.x, Concurrent audit-logs)
- Re-inject audit-events to a specific server (for simply debugging ModSecurity rulesets)
- Manipulation of events before re-injection
- Obfuscating audit-events to files or the clipboard
- Session view (heuristic IP-based or session-id based session tracking)
- Tree View for Alert Browsing
- Table Customization
-jaroption of your JVM as described below. The jar-archive of the AuditViewer (current version is 0.3.4) is about 1400k in size and can be downloaded at: code signing on the security page.
On most systems the viewer can be run by simply double-clicking the archive (Windows, Linux?). If double-clicking does not work, the jar-archive can be run by issuing:
java -jar AuditViewer-0.3.4.jar
After the viewer has been started it allows for loading audit-log files into its table view. These can be grouped into sessions using either a heuristic session-tracker (IP+UserAgent based) or a Cookie-based one. Most of the actions that are provided to be issued on audit-events are available by right-clicking any of the events in the table.
Changes in 0.3.4
- Internal changes to web-audit library integrated
- Generic table column mapping editor
- First implementation of TreeView
Changes in 0.3.3c
- Update of web-audit library to 0.2.15, fixing some more parser bugs
- Fixed an issue when saving events to disk (thanks to Andreas for reporting)
- Preparation for customized table columns (internally, will be part of the next release)
- Some more code-cleanup, documentation
Source Code & Building
As the interest in AuditViewer source-code is considerable small I will not provide any zip-archives of the source any more. People interested in building AuditViewer on their own still have the option to access the source via my public sub-version repository.
The AuditViewer repository is available at
trunk/-folder) as well as releases which are tagged by version number. These can be found in the
branches/-folder within the repository.
Checking out the source and building AuditViewer then simply requires a recent subversion tool and the
The first step is to check out the sources using
svn co https://secure.jwall.org/svn/org.jwall.web.audit.viewer/branches/0_3_3c \ AuditViewer-0.3.3cwhich will cause the svn tool to download the 0.3.3c release into a local directory called
After check out, building AuditViewer should be straight-forward by simply using
cd AuditViewer-0.3.3c ant distThis will compile the sources and create an AuditViewer distribution file called
AuditViewer-0.3.3c.jarwithin the directory where ant has been started.