On Wed, 11 Dec 2002, Rainer Gerhards wrote: > Tina, > > > FW-1 off line. Bear in mind that they're only good for FW-1 > > on UNIX...they depend on the UNIX "logger" utility. > > Would this work on Windows if logger would be available - we have > recoded logger for win... Soon to be seen ;) Hi Rainer -- There's three pieces involved, at least in my way of looking at the sort of info one needs to get out of a firewall: operating system logs, network connection logs, and configuration/policy changes. Clearly getting operating systems logs is straightforward -- or if it's not, that's a different problem -- and I'm confident of your ability to get Windows Event Log data to syslog. On a UNIX FW-1, the configuration changes (which are >>critical<< security information) are stored in a file called cpmgmt.aud, within the FW-1 root log directory. It's plain text, so my FW-1 to syslog guide recommends just doing a "tail -f" and piping to logger. Assuming that the same file exists on NT, you'd need to find a way to do the equivalent -- have a process that monitors that file for additions, and then writes them to the Event Log. Network connection logs are stored in a Checkpoint-proprietary binary file. They supply a utility to convert them to ASCII, so the same general trick works: convert them to text, pipe them to logger. Since I didn't have any way to do that sort of sophisticated stuff on Windows (coding not being my strong suit), I usually just set the FW-1 to log network connections to SNMP and grabbed them that way. Don't know how helpful that is -- I'm very inexperienced with FW-1 on Windows platforms -- but let me know. Phoneboy, sorry for dragging you into the middle of this conversation, but figured you'd be the likeliest person to have more reliable information. tbird _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Dec 11 2002 - 15:04:47 PST