AfterGlow is a tool which facilitates the process of generating graphs. It is the most downloaded security visualization tool of all times with over 17,000 downloads! Learn more about AfterGlow here.


07/08/13AfterGlow 1.6.5 released! Edge labels! Also see this blog post for a description of the latest updates.
07/11/13I released a short slide deck on AfterGlow: Overview, features, and a few great examples.
07/08/13AfterGlow 1.6.4 released!
 Adds the capability to generate ouput in GraphSON format.
(Credit to Tanya Guza for implementing this as part of GSOC)
05/13/13New AfterGlow for Splunk release - Fixing issues with Windows installations Download
04/14/13The latest source code is no longer on sourceforge, but can now be found on github: AfterGlow Source
 The tar-balls have moved too.
12/01/12AfterGlow Cloud is life! Check it out!
 The source code is available as well, in case you want to run your own AfterGlow Cloud instance.
 Some more information can be found on the honeynet blog
05/13/12AfterGlow was part of google summer of code (GSOC) through the honeynet project!
04/09/12Blog post about PCAP analysis with AfterGlow
04/09/12Blog post about how to use variables in AfterGlow
02/19/12AfterGlow is part of Squert, a Web application to view event data stored in the Sguil database.
01/04/12AfterGlow 1.6.2 for Splunk released!
  • This bug fix release will fix AfterGlow to work correctly with Splunk 4.2.x
  • 10/16/11AfterGlow 1.6.2 released!
     GDF output format support (-k) to support tools like Gephi.
     Join a community that has downloaded AfterGlow 14,000 times!!
    04/02/11Burpdot added a feature to output data for AfterGlow.
    03/22/10AfterGlow 1.6.0 released!
     A historic day! I finally decided that it was time to release AfterGlow 1.6.0!
  • Adding edge thickness option
  • New command line options to redirect STDIN and STDOUT to and from AfterGlow
  • New property file function: get_severity()
  • Couple of bug fixes. As always, check afterglow.pl for exact details.
  • 09/16/09Check out the CVS for a version of AfterGlow that allows for changing edge thickness! Release will follow soon!
    09/16/09AfterGlow gets a mention in Linux Magazine.
    08/07/09You can now your AfterGlow with Splunk 4. The integration is much nicer through a UI module, not a search command anymore.
    03/26/09AfterGlow is part of the Google Summer of Code project through the HoneyNet alliance! Sign up and help improve AfterGlow!
    02/07/09sudosecure.net published an analysis of the Waledac botnet. The analysis was performed with AfterGlow.
    11/25/08The 2.0 release of AfterGlow was removed from the download. It is confusing to users that there was a 2.0 version that did not provide the link graph feature. The initial idea was that the new code would support treemaps and link graphs, but that never took off. The 2.0 branch is abandoned at this point.
    11/18/08A short tutorial on how AfterGlow can be used with NetFlow data is posted on IT World.
    01/01/08AfterGlow works with Splunk
    11/01/07AfterGlow in ISSA Journal: Argus: Auditing network activity
    09/20/07Bro + Afterglow == Flow Insight with Link Graph
    09/12/07AfterGlow 1.5.9 Released
  • Adding property to add a URL element to nodes. This can be used, for example, to integrate with Splunk.
  • Adding label property to change labels on nodes. This overwrites the old label.(source|event|destination) to use not only boolean values.
    08/17/07AfterGlow Logo
     You might have noticed that AfterGlow finally got a LOGO. Thanks a lot to Jef, the graphic designer at my work! You should see him navigate PhotoShop...
    06/17/07AfterGlow 1.5.8 Released
     As part of the First conference in Seville, Spain, I am teaching a workshop on how to visualize insider threat. I am using this occasion to release a new and much improved version of AfterGlow.
  • Node sizes can be configured.
  • Updated and improved color assignment heuristic.
  • Per node thresholds
  • A few bug fixes!
  •  As always more information in src/perl/graph/README
    02/08/07AfterGlow 1.5.7 Released
  • Removed the database scripts from the distro. Get them from CSV if you need them.
  • Added feature to color nodes separately which are sources AND targets.
  • Adding label to the graph (-a command line option)
  • Added Text::CSV to parse the input data. (Thx Neil)
  • 02/04/07Anonymization Script
     Added anonymization scripts to anonymize CSV files. To safe you some hassle, also download the Anonymous.pm file if you want to anonymize IP addresses.
    01/06/07Unix Review Article on Snort 2.6 and AfterGlow
     I just stumbled accross an article that talks about how to use Snort 2.6 in conjunction with AfterGlow. And yet another blog entry which talks about Afterglow.
    11/27/06Security Visualization Portal - Launched
     Finally, the secviz.org portal is launched. You can find resources around the topic of security data visualization there! A definite have to see for AfterGlow users. You will see many examples of how to use the tool!
    07/03/06AfterGlow 1.5.6 Released
  • Fixed bug related to -g (fan out filtering) where source node was not drawn
  • Fixed bug related to -p 1 -f 1 options where too many nodes where drawn
  • New configuration option: variable
  • Removed regex() function. Duplicate of match().
  • 06/30/06DefCon 2006 (August 2006 in Las Vegas)
  • A presentation will feature AfterGlow and show how a firewall log can be visualized. Step by step instructions on how to build property files, and how to use all the other features.
  • 04/15/06AfterGlow 1.5.1 is in CVS!
  • Making parsing of property file a bit more flexible
  • Adding subnet() function
  • Adding field() function, returning the current field value
  • Adding version information to usage();
  • Fixing error message "not a color: " that showed all the time it was checking edge colors when they were not even defined
  • Don't evaluate clusters, if no clusters defined.
  • Trying to do some code optimization by checking whether a certain feature is needed
  • Doing some optimization by introducing a color cache! MUCH faster!
  • 03/20/06Another release of AfterGlow. Version 1.5 features:
  • Adding fan-out filtering capability! Way cool!
  • Minor bug fixes for property files.
  • Adding "exit" statement for property files.
  • 03/09/06This is a combined release of AfterGlow 1.3 and 1.4. Lots of new features:
  • Fixing omit-threshold bug. Only draw edges if BOTH nodes have a higher threshold, not just one of them.
  • Introducing cluster capability. This will cluster multiple nodes into one: (cluster=expression or cluster.{source,event,target}=expression)
  • Introduction of functions to work with colors and clusters: any_regex(), regex(), match(), regex_replace()
  • Adding capability to define colors independent of the node (color=...)
  • Introducing label.{source,event,targate}=[0|1] to disable labels
  • 02/21/06AfterGlow 2.0 released during EuSecWest 2006 in London.
    02/18/06AfterGlow 2.0 is close! I will release it at EuSecWest 2006 in London.
  • A new framework written in Java, based on the infovis libraries.
  • For now "AfterGlow 2.0 - Java" and "AfterGlow 1.1.6 - Perl" will live concurrently. Version 3.0 will combine the capabilities of both versions!
  • AfterGlow 2.0 supports treemap output. In future versions more will be added (especially link graphs).
  • 02/17/06AfterGlow 1.1.6 released! This release fixes a problem with the node-counts!
    02/17/06Lots of changes:
  • Cleaned up the directories.
  • afterglow-database and afterglow-parsers is gone. Everything is in afterglow-1.1.6.tar.gz now.
  • Added README to the perl directories.
  • Added more examples and cleaned them up.
  • 11/11/05Finally, a first version of the manual is available and some more pages got added on this Web page.
    09/19/05The Web page is finally launched. A lot of sections are still missing, but stay put!
    09/01/05Version 2.0 of AfterGlow got released with fixes to the node counts!
    08/01/05Raffy presented at DefCon about visual log analysis. Here is the description on the DefCon page. The presentation is also available.