IONSec Forti-DFIR Log Parser Tool is a comprehensive solution for analyzing Fortinet VPN and firewall logs. Available as both a command-line utility and a modern web application, it extracts key data and exports it to CSV format, streamlining security investigations for incident responders.
Developed by the IONSec Research Team.
- 🔍 VPN Login Parser: Extracts successful VPN login details.
- 📊 Firewall Log Aggregation: Summarizes traffic by destination IP, filtering out private/local addresses.
- 📌 VPN Session Shutdown Analyzer: Extracts session termination statistics, including sent bytes, for a specific user.
- 💻 Interactive CLI Interface: Guides users through log selection and parsing options.
- 🌐 Web Application: Modern web interface with authentication, file upload, and real-time processing.
- 📂 CSV Export: Saves parsed data for easy analysis.
- 🐳 Docker Support: Easy deployment with Docker Compose.
- ☁️ Cloud Ready: Automatic deployment to Netlify and Vercel.
- ❓ Help Function (
-help): Displays usage instructions.
cd web_app
./run.sh # For macOS/Linux
# OR
run.bat # For WindowsAccess the application at http://localhost:3000
python log_parser.py- Python 3.6+
pandaslibrary
- Python 3.6+ OR Docker
- Node.js 14+ (if not using Docker)
-
Clone the repository:
git clone https://github.com/ionsec/Forti-DFIR.git cd Forti-DFIR -
For CLI usage:
pip install pandas
-
For Web App usage:
-
Option A - Using Docker (Recommended):
cd web_app docker-compose up -
Option B - Manual Installation:
cd web_app ./run.sh # Automated setup for macOS/Linux # OR run.bat # Automated setup for Windows
-
The web application provides a modern interface for all parsing operations:
- Access: http://localhost:3000 (frontend) / http://localhost:5000 (API)
- Default Login: admin / admin123
- Features: All CLI functionality plus:
- User authentication
- Drag-and-drop file upload
- Real-time processing status
- Download results as CSV
- Parse history tracking
For detailed web app documentation, see web_app/README.md
Run the script in interactive mode:
python log_parser.pyWhen executed, the tool presents the following menu:
Log Parser CLI Tool
1. Parse VPN logs
2. Parse and aggregate firewall logs
3. Parse VPN shutdown sessions and extract sent bytes for a given user
✔ Extracts VPN login details (date, time, user, IP, reason, etc.).
✔ Aggregates firewall logs by destination IP and calculates total sent bytes.
✔ Extracts session termination logs for a specified user, including sent bytes.
You will be asked to provide:
- 📌 The path to the input log file.
- 📌 The path to save the output CSV file.
- 📌 (For Option 3) The username to filter logs (case-insensitive).
To display usage instructions, run:
python log_parser.py -helppython log_parser.py- Choose Option 1
- Enter file paths:
Enter the path to the log file: vpn_logs.txt Enter the path to save the parsed logs: parsed_vpn_logs.csv
python log_parser.py- Choose Option 2
- Enter file paths:
Enter the path to the log file: firewall_logs.txt Enter the path to save the parsed logs: parsed_firewall_logs.csv
python log_parser.py- Choose Option 3
- Enter details:
Enter the path to the log file: vpn_logs.txt Enter the user name to filter by: USER1 Enter the path to save the parsed logs: shutdown_sessions.csv
The tool generates a structured CSV file with parsed log data.
| Date | Time | User | Sent Bytes | Sent Bytes (MB) |
|---|---|---|---|---|
| 2020-02-14 | 05:59:52 | USER1 | 600590000 | 600.59 |
| 2020-02-15 | 07:30:10 | USER1 | 100370000 | 100.37 |
The web application can be deployed to cloud platforms:
See web_app/DEPLOYMENT.md for detailed deployment instructions.
Contributions are welcome! Feel free to submit issues or pull requests.