October 15, 2006

AfterGlow and Fan Out Filtering

Yes, I am still playing around with visualization. In fact, I am writing a Chapter for a book. It’s going to be about using line graphs and treemaps to visualize firewall and IDS logs.

I just realized something that you have to be careful about when using AfterGlow’s fan-out filtering!

If you have a graph where you are going to filter based on the source-node’s fan-out, you will still see all the eventNode->targetNode pairs! It won’t restrict them to only that ones that are from the remaining source nodes! Here is an example:

My log contains thousands of line, but only these three entries should remain after doing a (-f 2) filtering:,nounce,|113,block,|113,pass,|25

However, the graph will look as this:

What you can do is using the -p 1 option: afterglow.pl -p 1 -f 2 which will result in the desired graph:

