Re: [loganalysis] Checkpoint FW-1 and syslog

From: johanat_private
Date: Tue Sep 04 2001 - 15:01:41 PDT

  • Next message: Andreas Siegert: "[loganalysis] Larg scale log architecture"

    That is why I also allways use fw log -ft, with both flags only the new 
    logs will be outputted in text format.
    
    I'm quite sure that it will be possible to use the "user defined" option 
    for logging in the gui and enter 'logger' as the user defined command to 
    run. I like the 'fw log -ft' alternative better myself though.
    
    //johan
    
    --On tisdag 4 september 2001 11.54 -0500 Tina Bird 
    <tbird@precision-guesswork.com> wrote:
    
    > As Johan pointed out a few days ago, you can use the
    > Checkpoint command $FWDIR/bin/fw log -f to convert from
    > the Checkpoint proprietary log format to plain text,
    > and then the UNIX "logger" utility to get the plain text
    > into syslog.  However, be aware that the "fw log -f"
    > converts >everything< in the network connections log to
    > text -- so every time you stop and restart the firewall,
    > you will blat out everything in the connections log
    > back into syslog.
    >
    > We recommend to our customers that they perform a log
    > rotation on the network connection logs everytime they
    > restart the system - that way there are no duplicates.
    > IIRC, the command is $FWDIR/bin/fw logswitch...Chris,
    > is that right?
    >
    > Also, there's a lot of valuable information about the
    > health of the firewall that doesn't show up in either
    > the network connection logs or the standard host OS
    > syslog, especially if you use the GUI for firewall
    > management (this includes things like administrators
    > logging into and out of the GUI, and pushing new policies
    > to the firewalls).  If you want to capture that info in
    > your central logserver, you need to do the "logger"
    > trick described above with the file $FWDIR/log/cpmgmt.aud.
    >
    > On Mon, 3 Sep 2001, Chris Brenton wrote:
    >
    >> Date: Mon, 3 Sep 2001 08:17:41 -0400 (EDT)
    >> From: Chris Brenton <cbrentonat_private>
    >> To: Ralf Hildebrandt <Ralf.Hildebrandtat_private>
    >> Cc: Mamoat_private, loganalysisat_private
    >> Subject: Re: [loganalysis] Checkpoint FW-1 and syslog
    >>
    >> On Sun, 2 Sep 2001, Ralf Hildebrandt wrote:
    >>
    >> > On Sun, Sep 02, 2001 at 08:31:07AM +0200, Mamoat_private wrote:
    >> > > How  is  it  possible  to  send  the FW-1 log to a central syslog
    >> > > server in real time.
    >> >
    >> > Does FW-1 use syslog() calls at all? If yes, the "man syslog.conf"
    >> > Or have they done their own reinvention of syslog() ?
    >>
    >> Sorry, but FW-1 will not send firewall logs to Syslog (not that's
    >> I've ever found). Its a proprotary format so its not like you can even
    >> run Swatch on the firewall itself.
    >>
    >> A better bet may be to run something like Netfilter in front or behind
    >> FW-1. The bonus is that That you can take advantage of its log prefixing
    >> capability. Something like:
    >>
    >> iptables -A FORWARD -p tcp --tcp-flags ALL SYN, FIN -j LOG --log-prefix
    >> " SYNFINSCAN "
    >>
    >> iptables -A FORWARD -p icmp -f  -j LOG --log-prefix " ICMPFRAG "
    >>
    >> iptables -A FORWARD -p tcp -d 0/0 --dport 12345:12346 -j LOG --log-prefix
    >> " NETBUS "
    >>
    >> This dumps the detected patterns to messages. Now you just have
    >> Swatch or what ever pattern match on the keywords you define.
    >>
    >> HTH,
    >> C
    >> **************************************
    >> cbrentonat_private
    >>
    >> $ chown -R us:us yourbase
    >>
    >>
    >>
    >>
    >>
    >> ---------------------------------------------------------------------
    >> To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    >> For additional commands, e-mail: loganalysis-helpat_private
    >>
    >
    > LogAnalysis: http://kubarb.phsx.ukans.edu/~tbird/log-analysis.html
    > VPN:  http://kubarb.phsx.ukans.edu/~tbird/vpn.html
    > life: http://kubarb.phsx.ukans.edu/~tbird
    > work: http://www.counterpane.com
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    > For additional commands, e-mail: loganalysis-helpat_private
    
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 15:33:20 PDT