Image 01
profile-image

nickbattle

Nick Battle , United Kingdom
test
KLogWatch

System Software 32 comments

Score 50.0%
Dec 17 2006
Yes, my RPM was built on SUSE 10.1. It's probably very similar to the SLED one though. - Oct 01 2006
The font in the sample pictures is called "Misc Fixed" (12pt). I don't know where it came from, but I'm using SuSE 10.1 and I believe it came with the distro.

Fixed fonts are nicer for klogwatch because thnigs like IP addresses line up.

HTH,
-nick - Aug 03 2006
I'll look into this. Presumably it should be possible to set up some sort of ssh tunnel - I just don't know enough about it to say. Thanks for the suggestion anyway. - Jul 26 2006
Yes, I can see how that would be useful. But I'd need to build some sort of remote protocol into klogwatch - really that should be done "outside".

I've not tried, but it should work via an NFS mount. The program itself only knows about a "file" that contains the logs. - Jul 26 2006
Technically, this probably would be possible, but it's a very different task to the one KLogWatch is currently doing - at the moment, it is simply displaying intercepted packets. There is no attempt to interpret the packets or look for patterns of activity that might indicate an attack. - Dec 20 2004
OK, should all be fixed in 1.8.3. The code didn't take account of log-rotation. - Dec 03 2004
I don't suppose you have log-rotation configured? Some systems have cron jobs that archive old logs, delete very old logs, and start fresh ones every so often.

I'd not thought about this before, but if that happens - so a particular logfile (inode) is no longer being written to - then of course the program wouldn't notice (and I should try to do something about it, like close and re-open the file by name every so often!) - Nov 16 2004
If it's possible, can you give me a logfile that spans the period when it was working, and includes some packets at the end that are not recognised? If you just tell me the last packet from the log that was found, I can see if there's anything after that (perhaps from another source) that might throw it.

Can you mail it to me home address (the freeuk.com address on my profile here, or in the Help panel of the program). Gzipped would help - modem I'm afraid :-) - Nov 16 2004
OK, I'll try to reproduce it here. To be honest, I might not notice if it stopped monitoring events - these days, you get so many events blocked that I tend to just ignore them all (turn it off, or pause it for 20 minutes). - Nov 15 2004
Hi,

It shouldn't stop monitoring (of course!). How do you know that it's not monitoring the file - new events not registering? If you run KLogWatch from the command line, and use -d (debug), is there any extra information? You should see a "." printed every time it checks the logfile for new content (the Poll interval).

I like the other idea. How to specify what you do/don't want to see though. Just by port/protocol? - Nov 14 2004
Hi Xavier,

KLogWatch just tails a file, so if you can dynamically pull your Netfilter log files back to the graphical machine, KLogWatch will "watch" them for you. I don't know much about ssh and whether it's possible to spool a file continuously between machines like this. Obviously something like an NFS mount should work.

Once you've got the file "coming over", you point KLogWatch at it with the -f option (or use the setup menu to change the monitored file).

You may really want to find a static log analyiser - ie. one which looks at the logs on a regular basis (say every day) rather than dynamically watching the log file? There are other log tools which do this.

HTH, - Sep 03 2004
OK, fixed in version 1.8.2.

Cheers,
-nick - Aug 19 2004
It looks like you've spotted a problem with the way newer versions of KDE parse their command line arguments. I've sent you a suggested patch by email. If that works, let me know and I'll issue 1.8.2.

Thanks for telling me about this. - Aug 16 2004
OK, all fixed now. Should compile on all distros (that I know of!) and the nasty SIGABRT problem on Mandrake is fixed too - it was because on Mandrake 10, the default /var/log/kernel location is a directory when the program was expecting it to be a regular file. - May 10 2004
It appears the KLogWatch autoconf system isn't smart enough to figure out the KDE/Qt lib and include directories on some distributions - particularly Fedora, Debian and Mandrake.

These will be fixed in release 1.8, due out shortly. - Apr 20 2004
Has anyone managed to build KLogWatch on Fedora? Apparently it doesn't install the KDE devel packages in places that the configure script looks for by default. If someone could supply a ./configure line that does the trick I'd be grateful. - Mar 15 2004