Re: [logs] Checkpoint ng-1

• Previous message: John Reuning: "Re: [logs] Term weights and log analysis"
• In reply to: Tyler, Grayling: "[logs] Checkpoint ng-1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Tyler, Grayling wrote:

> A couple of questions for the list; While the GUI is great for some, I 
> prefer to use (insert favorite scripting language here) to parse the 
> logs into reports.  While looking at the NG-1 logs I've found that you 
> have to extract them using the 'fwm logexport' command.
>
This is for fw.log (eventually renamed with the date/time) and the 
corresponding .logptr.

> Once extracted I found that the audit log (fw.adtlog) appears to list 
> objects by name followed by a number (guid?) i.e. "...node1234, 
> host_plain, 
> network_objects,Create,{939F6E91-33D1-4562-B791-BDC7218AD88E}".
>
fw.log and fw.adtlog are 2 100% different logs. The first logs what the 
firewall module does (accept/drop/encrypt/...) the later logs what the 
administrator have done using the gui!

> My questions are: 1) is there a way to default the logs to text format 
> as they are collected?
>
Not really, you may use a "user defined alert" and "logger" in order to 
send the fw module logs in real time through syslo (but it's slow). Have 
a look at lance spitzner (honeynet.org) scripts, there is one using this 
feature.
An alternate solution would be something like "fwm log -f 
fw.log|logger", but you'll have to handle the end of logs (restarting 
your script after "fwm switchlog", "fwn log -f" willl never ends ?)

> 2) am I correct in the assumption that the number corresponds to the 
> object listed (or is there more information that can be gleaned from 
> the number and if so how).
>
You may find infos in the opsec sdk, there are / were examples for 
reading the logs (either the files or using the network api).
I remember webtrends (now net iq ?) reads the fw logs without the need 
to export them in ascii, could be worth to have a look at it (it's a fw 
report generator).

>  Any additional tips or insight you'd care to add would be appreciated 
> as well.
>
There is / was an issue when switching the logs ... the first accounting 
logs were almost empty (no source/destination) !



_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: John Reuning: "Re: [logs] Term weights and log analysis"
• In reply to: Tyler, Grayling: "[logs] Checkpoint ng-1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Sat Sep 11 2004 - 10:20:14 PDT