Re: [loganalysis] Checkpoint FW-1 and syslog

From: Tina Bird (tbird@precision-guesswork.com)
Date: Tue Sep 04 2001 - 09:54:43 PDT

  • Next message: Chris Brenton: "Re: [loganalysis] Checkpoint FW-1 and syslog"

    As Johan pointed out a few days ago, you can use the
    Checkpoint command $FWDIR/bin/fw log -f to convert from
    the Checkpoint proprietary log format to plain text,
    and then the UNIX "logger" utility to get the plain text
    into syslog.  However, be aware that the "fw log -f"
    converts >everything< in the network connections log to
    text -- so every time you stop and restart the firewall,
    you will blat out everything in the connections log 
    back into syslog.  
    
    We recommend to our customers that they perform a log
    rotation on the network connection logs everytime they
    restart the system - that way there are no duplicates.
    IIRC, the command is $FWDIR/bin/fw logswitch...Chris,
    is that right?
    
    Also, there's a lot of valuable information about the
    health of the firewall that doesn't show up in either
    the network connection logs or the standard host OS
    syslog, especially if you use the GUI for firewall
    management (this includes things like administrators
    logging into and out of the GUI, and pushing new policies
    to the firewalls).  If you want to capture that info in
    your central logserver, you need to do the "logger"
    trick described above with the file $FWDIR/log/cpmgmt.aud.
    
    On Mon, 3 Sep 2001, Chris Brenton wrote:
    
    > Date: Mon, 3 Sep 2001 08:17:41 -0400 (EDT)
    > From: Chris Brenton <cbrentonat_private>
    > To: Ralf Hildebrandt <Ralf.Hildebrandtat_private>
    > Cc: Mamoat_private, loganalysisat_private
    > Subject: Re: [loganalysis] Checkpoint FW-1 and syslog
    > 
    > On Sun, 2 Sep 2001, Ralf Hildebrandt wrote:
    > 
    > > On Sun, Sep 02, 2001 at 08:31:07AM +0200, Mamoat_private wrote:
    > > > How  is  it  possible  to  send  the FW-1 log to a central syslog
    > > > server in real time.
    > > 
    > > Does FW-1 use syslog() calls at all? If yes, the "man syslog.conf"
    > > Or have they done their own reinvention of syslog() ?
    > 
    > Sorry, but FW-1 will not send firewall logs to Syslog (not that's
    > I've ever found). Its a proprotary format so its not like you can even run
    > Swatch on the firewall itself.
    > 
    > A better bet may be to run something like Netfilter in front or behind
    > FW-1. The bonus is that That you can take advantage of its log prefixing
    > capability. Something like:
    > 
    > iptables -A FORWARD -p tcp --tcp-flags ALL SYN, FIN -j LOG --log-prefix
    > " SYNFINSCAN "
    > 
    > iptables -A FORWARD -p icmp -f  -j LOG --log-prefix " ICMPFRAG "
    > 
    > iptables -A FORWARD -p tcp -d 0/0 --dport 12345:12346 -j LOG --log-prefix
    > " NETBUS "
    > 
    > This dumps the detected patterns to messages. Now you just have
    > Swatch or what ever pattern match on the keywords you define.
    > 
    > HTH,
    > C
    > **************************************
    > cbrentonat_private
    > 
    > $ chown -R us:us yourbase
    > 
    > 
    > 
    > 
    > 
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    > For additional commands, e-mail: loganalysis-helpat_private
    > 
    
    LogAnalysis: http://kubarb.phsx.ukans.edu/~tbird/log-analysis.html
    VPN:  http://kubarb.phsx.ukans.edu/~tbird/vpn.html
    life: http://kubarb.phsx.ukans.edu/~tbird
    work: http://www.counterpane.com
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 12:00:16 PDT