Open Source OpenBSD Log Analysis Software

ttyrpld is a multi-OS kernel-level TTY keylogger and screenlogger with (a)synchronous replay support. It runs on Linux, Solaris, FreeBSD, NetBSD and OpenBSD.

NXLog is a modular, multi-threaded, high-performance log management solution with multi-platform support. In concept it is similar to syslog-ng or rsyslog but is not limited to unix/syslog only. It can collect logs from files in various formats, receive logs from the network remotely over UDP, TCP or TLS/SSL . It supports platform specific sources such as the Windows Eventlog, Linux kernel logs, Android logs, local syslog etc. Writing and reading logs to/from databases is also supported. The collected logs can be stored into files, databases or forwarded to a remote log server using various protocols. The old BSD Syslog and the newer IETF syslog standard is fully supported by NXLog in addition to Snare, XML, JSON, GELF, KVP, CSV and custom formats. A key concept in NXLog is to be able to handle and preserve structured logs. No need to convert everything to syslog and parse these logs again at the other side. It has powerful message filtering, log rewrite and conversion capabilities.

Impost is a network security auditing tool designed to analyze the forensics behind protocol exploitation.

Jacclog is a modular open source access logs analytics system written in Java.

Nmap Log Stripper is a Bash script intended to be a way to condense all, or some, of the IPs of a "random" (-iR) nmap scan into a file for later usage.

Snort2c attempts to be a improved version of snort2pf wrote by Stephan Schmieder with some advantages: kqueue, pf table support, pf ioctl's calls and others. It works monitoring snort's alertfile and blocking attackers ip using pf calls.

Squeezer is a multi-dimensional logfile analyzer for Squid web cache server. It measures transfer speed from Squid, source servers and other caches and gives an information useful for tuning Squid and web cache hierarchy or mesh.

ZEE HAS MOVED TO GITHUB (see "Zee Web Site" link).

my-swatch pretends to be an implementation of msyslog and swatch together. What it pretends to accomplish is put all together, to log events to a remote database (like msyslog) and to awake triggers (like swatch).

A tool suite to analyse protocol streams and whose flow characteristic. On the other side, the tool suite can be used to gather information about the network infrastructure and detect bottlenecks.

Shoki is a free, open source network intrusion detection system. The fundamental design goals are simplicity and modularity, and the focus is on traffic analysis rather than content inspection.