Hi Christian, hello list,
Yesterday, I took a testdrive with AuditViewer, browsing about 2000 events and
updating a whitelist ruleset under development with Remo. Remo has some sort
of event browser, but yours is vastly superior.
I usually do some prefiltering with remo's audit-log-parser.rb script. This works nice
together with your AuditViewer. I migh have to write a tutorial about that someday.
These are some thoughts, I am posting them here (and not to Christian directly),
so others can add their ideas too.
I did not read any documentation and I did not look for explanations.
That's my fault, but take me as a casual user, who just wants to get going
fast and without thinking much.
- Feature Request: "Remove event from List"
What I mean is you have 25 events, you do a right-click and
select "remove event". Then the event is completely removed from
the list and you have 24 events.
Multi-Select with CTRL-a and then Shift-Delete would be helpful too.
- Display the field request Unique-ID (-> mod_unique_id) in the event list and also in the detail
view. Likewise, I'd like to filter for Unique-IDs. This can be
a regex filter, but ideally, I'd like to paste them into a
big text field, one ID per line.
- The tree-view is cool. Really.
- The treeview would profit if the detail-view of an event would be displayed
below the event lists. Now it's a popup and that takes too long.
The "next/previous" functionality of the popup is nice though.
- The detail-view does not do carriage returns for long lines (or only for extremely long lines),
instead I have to scroll multiple screens to the right. When I click "next", then the
scrollbar resets the view to the left. Argh. I have to cover 2000 events.
- A filter like !^(.*Origin.*)$ does not work on the "Log message with regexp" filter.
That would be helpful though.
Btw: The Anti-CSRF-HTTP-Header named Origin is appearing in more and more requests.
Anybody can say something about the rate of the adoption?
- The detail view popup does not react on keys like "Home" and "End"
- The list view table can not be ordered by clicking on the header of the column
- When loading a file, it would be nice if audit-viewer was able to guess the
format type of the file.
- Why is not there a tree-view from the start? Why do I have to generate it first?
Nice and helpful tool. Are you attending the OWASP conference in Poland, Christian?
Webserver Security Engineer
Die Schweizerische Post
Unix Engineering IT 222
CH-3030 Bern (Zollikofen)
Tel: +41 (0)58 338 79 96
Fax: +41 (0)58 338 46 99