Re: [loganalysis] Checkpoint FW-1 and syslog

From: Chris Brenton (cbrentonat_private)
Date: Mon Sep 03 2001 - 05:17:41 PDT

  • Next message: Balazs Scheidler: "Re: [loganalysis] syslog-ng (FA?)Q"

    On Sun, 2 Sep 2001, Ralf Hildebrandt wrote:
    
    > On Sun, Sep 02, 2001 at 08:31:07AM +0200, Mamoat_private wrote:
    > > How  is  it  possible  to  send  the FW-1 log to a central syslog
    > > server in real time.
    > 
    > Does FW-1 use syslog() calls at all? If yes, the "man syslog.conf"
    > Or have they done their own reinvention of syslog() ?
    
    Sorry, but FW-1 will not send firewall logs to Syslog (not that's
    I've ever found). Its a proprotary format so its not like you can even run
    Swatch on the firewall itself.
    
    A better bet may be to run something like Netfilter in front or behind
    FW-1. The bonus is that That you can take advantage of its log prefixing
    capability. Something like:
    
    iptables -A FORWARD -p tcp --tcp-flags ALL SYN, FIN -j LOG --log-prefix
    " SYNFINSCAN "
    
    iptables -A FORWARD -p icmp -f  -j LOG --log-prefix " ICMPFRAG "
    
    iptables -A FORWARD -p tcp -d 0/0 --dport 12345:12346 -j LOG --log-prefix
    " NETBUS "
    
    This dumps the detected patterns to messages. Now you just have
    Swatch or what ever pattern match on the keywords you define.
    
    HTH,
    C
    **************************************
    cbrentonat_private
    
    $ chown -R us:us yourbase
    
    
    
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 11:41:18 PDT