As Johan pointed out a few days ago, you can use the Checkpoint command $FWDIR/bin/fw log -f to convert from the Checkpoint proprietary log format to plain text, and then the UNIX "logger" utility to get the plain text into syslog. However, be aware that the "fw log -f" converts >everything< in the network connections log to text -- so every time you stop and restart the firewall, you will blat out everything in the connections log back into syslog. We recommend to our customers that they perform a log rotation on the network connection logs everytime they restart the system - that way there are no duplicates. IIRC, the command is $FWDIR/bin/fw logswitch...Chris, is that right? Also, there's a lot of valuable information about the health of the firewall that doesn't show up in either the network connection logs or the standard host OS syslog, especially if you use the GUI for firewall management (this includes things like administrators logging into and out of the GUI, and pushing new policies to the firewalls). If you want to capture that info in your central logserver, you need to do the "logger" trick described above with the file $FWDIR/log/cpmgmt.aud. On Mon, 3 Sep 2001, Chris Brenton wrote: > Date: Mon, 3 Sep 2001 08:17:41 -0400 (EDT) > From: Chris Brenton <cbrentonat_private> > To: Ralf Hildebrandt <Ralf.Hildebrandtat_private> > Cc: Mamoat_private, loganalysisat_private > Subject: Re: [loganalysis] Checkpoint FW-1 and syslog > > On Sun, 2 Sep 2001, Ralf Hildebrandt wrote: > > > On Sun, Sep 02, 2001 at 08:31:07AM +0200, Mamoat_private wrote: > > > How is it possible to send the FW-1 log to a central syslog > > > server in real time. > > > > Does FW-1 use syslog() calls at all? If yes, the "man syslog.conf" > > Or have they done their own reinvention of syslog() ? > > Sorry, but FW-1 will not send firewall logs to Syslog (not that's > I've ever found). Its a proprotary format so its not like you can even run > Swatch on the firewall itself. > > A better bet may be to run something like Netfilter in front or behind > FW-1. The bonus is that That you can take advantage of its log prefixing > capability. Something like: > > iptables -A FORWARD -p tcp --tcp-flags ALL SYN, FIN -j LOG --log-prefix > " SYNFINSCAN " > > iptables -A FORWARD -p icmp -f -j LOG --log-prefix " ICMPFRAG " > > iptables -A FORWARD -p tcp -d 0/0 --dport 12345:12346 -j LOG --log-prefix > " NETBUS " > > This dumps the detected patterns to messages. Now you just have > Swatch or what ever pattern match on the keywords you define. > > HTH, > C > ************************************** > cbrentonat_private > > $ chown -R us:us yourbase > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: loganalysis-unsubscribeat_private > For additional commands, e-mail: loganalysis-helpat_private > LogAnalysis: http://kubarb.phsx.ukans.edu/~tbird/log-analysis.html VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 12:00:16 PDT