[logs] RE: Checkpoint ng-1

From: Pauls, Nicole (npauls@private)
Date: Wed Sep 22 2004 - 19:16:34 PDT

The original of this thread was from back a week or so now, but I'm catching
up on list mail.

Tyler, Grayling said:

> My
> questions are: 1) is there a way to default the logs to text format as
> they are collected? 

As the previous poster (Stephane) mentioned there are really 2 ways:

1) A user defined alert using syslog (or another logging tool). I have found
this to be really slow. With high enough log volumes, syslog gets behind, and
it starts churning CPU. 

For this, you might also check out the PhoneBoy logging and alerting FAQs:

2) A tool that uses OPSEC LEA, either of your own doing, or one that's
already built. There aren't a lot of free products out there that I've seen
that do CheckPoint NG logging, I guess because OPSEC is not terribly friendly
(it's not like parsing a Cisco log for example). It works, and does provide
the information you need, and can provide it in near "real-time". Another
advantage to using the LEA is that you can do it remotely (and it is still
encrypted, unlike syslogging remotely). 

The OPSEC SDK, as Stephane mentioned, does ship with an LEA example. The
example they provide can be modified slightly to grab the logs and ouptut
them to the screen in real time, and you could wrap that with a perl script
that would restart if the program exited, just in case something like the log
rotation tripped you off. You will want two connections, one to the fw.log,
and one to the fw.adtlog, to get full coverage (as was mentioned, the fw.log
has normal traffic and SmartDefense logs, the adtlog has administrative

I have found that the examples in the OPSEC SDK take a little TLC, but do
work once you figure them out. If you're not a C kind of person, it could be
an uphill battle. Their documentation isn't terribly good either, I think
some of CP's stuff is caught in 4.1 land still, just with NG tidbits here and

You might check out FW1-LogGrabber, a project from Torsten Fellhauer:

I have not tried it locally on the firewall, but I have used it remotely
before. To do it remotely, you will have to follow the standard OPSEC client
procedures -- add an OPSEC LEA host in the SmartDashboard, grab the
certificate with the opsec_pull_cert tool from the CheckPoint OPSEC SDK, and
provide it to the client application. Same thing you'd want to do if you
wrote your own tool to work remotely.

The FW1-Loggrabber tool is not fully aware of all fields that the firewall
can generate, especially with NG AI firewalls. If you see fields that aren't
mapped, you might drop him a note if you know what they are. I sent along
what I saw from fw logexport hoping it would help, but I don't think there's
been a rev since then. 

> 2) am I correct in the assumption that the number
> corresponds to the object listed (or is there more 
> information that can
> be gleaned from the number and if so how).

The topmost line in the fwm logexport shows you what the fields are. If you
use "fw log" instead, it will colon separate the field and the data, but I
prefer logexport myself as fields that aren't present in any given message
will still have data so you can line things up in excel (for example).

Here is an old old line from my adtlog file in fw log format:

16:22:14 accept locutus    <    product: Policy Editor; ObjectName: Standard;
ObjectType: firewall_policy; ObjectTable: fw_policies; Operation: Create;
Uid: {5D99AAB7-A2E5-4338-8496-BD81BBE44A10}; Administrator: admin; Machine:

Same line in fwm logexport format:


Here's the fields lined up with their data and a little info:

num: 3 
	absolute number of entry in log file
date: 30Dec2002 
	date entry was logged
time; 16:22:14 
	time entry was logged
orig; locutus 
	origin firewall
type; log 
	type of message
action; accept 
	action taken - in the adtlog this will usually be accept, but in a
regular log 
		it could be accept, drop, decrypt, maybe some others
	I don't see a lot of these filled in in either log, so I'm not sure
	not going to have this in policy messages either, but it would
normally be 
		the interface name, e.g. eth0)
i/f_dir; outbound 
	direction of traffic -- seems to always be outbound on adtlog
product; Policy Editor
	component -- In the adtlog it's what product is being used. In the
		usually "VPN-1 & Firewall-1" or "SmartDefense(+)VPN-1 &
ObjectName; Standard;
	which policy object you were editing
ObjectType; firewall_policy;
	what type of object it was
ObjectTable; fw_policies;
	where it was found
Operation; Create;
	what you were doing
Uid; {5D99AAB7-A2E5-4338-8496-BD81BBE44A10};
	I believe this is the UID of the thing you were editing, as it seems
to change
		with different entries.
Administrator; admin;
	who made the change
Machine; locutus;
	where they made the change from
	I don't usually see this one filled out in adtlog messages.
session_id; ;
	Same here. 
Additional Info; ;
	Same here.

YMMV on the information I provided, this is all from experience. I can
provide a little bit of information on fields found in the fw.log messages if
that would help also. It's hard to find a lot of detail on CP Log Analysis in
my experience, and I don't think it's fair to have to buy a third-party
product to get information that other vendors do provide on their websites or
in their product documentation. 

Good luck,
LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Fri Sep 24 2004 - 09:38:41 PDT