Just for the record, although it's not a really good solution: If you use "User Defined" as Track Type, you can under Policy -> Properties -> Log and Alert configure it to use logger. Drawbacks: 1) You cannot use "User Defined" for something else, like IDS. Lance Spitzner wrote a paper about doing just that: http://www.enteract.com/~lspitz/intrusion.html 2) It still does not have native support for any logging method except it's own proprietary format. So you'll lose some performance by calling upon another program. 3) And I'm pretty sure you cannot get the "Log Implied Rules" setting to log this way. (This option is only available in Firewall-1 4.1 or later) So, there are some tricks that can be used, but IMHO, none is perfect. Check Point really ought to stop using so many proprietary formats :) The biggest drawback by using fw logswitch and converting the output (it should be rotated periodically in any case) is that you increase your detection window. If you just want to depend on your IDS:es for alerting, then I would recommend using this method. "fw log -ft | logger" and "user defined" both give immediate notice, but are associated with more overhead. I haven't done any performance tests on any of this, so the performace statements are me doing guesswork, nothing else. Great list by the way. Regards, Patrik Sternudd --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 13:36:06 PDT