Re: [loganalysis] Checkpoint FW-1 and syslog

From: Chris Brenton (cbrentonat_private)
Date: Tue Sep 04 2001 - 12:13:08 PDT

  • Next message: Patrik Sternudd: "RE: [loganalysis] Checkpoint FW-1 and syslog"

    Tina Bird wrote:
    > 
    > As Johan pointed out a few days ago, you can use the
    > Checkpoint command $FWDIR/bin/fw log -f to convert from
    > the Checkpoint proprietary log format to plain text,
    
    Saw that after I posted. ;)
    
    Is the format the same as when you do an 'fw logexport' ? Is so, it may
    make pattern matching a bit difficult as there are no label values. For
    example you can pattern match on "22" to look at SSH but you will also
    get 2222, source port of 22xx, "22" in the IP address, date, time, etc. 
    
    If you do get labels to work with, then life is cool. 
    
    The Netfilter trick is still my favorite. Its cut my log review time
    down to about 25% of what it used to be even though I'm logging more
    info and seeing more traffic.
    
    > We recommend to our customers that they perform a log
    > rotation on the network connection logs everytime they
    > restart the system - that way there are no duplicates.
    > IIRC, the command is $FWDIR/bin/fw logswitch...Chris,
    > is that right?
    
    Yup, that will do it. Startup script or batch file is probably the way
    to go.
    
    HTH,
    Chris
    -- 
    **************************************
    cbrentonat_private
    
    $ chown -R us:us yourbase
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 13:35:02 PDT