[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Firewall Log analyser

To: 'Michael Sleeper' <Sleeper@co.richmond.ga.us>, 'John Horn' <jhorn1@desperate.ci.tucson.az.us>, Darius Basil Fan <dariusfan@matrix.csah.com>
Subject: RE: [FW1] Firewall Log analyser
From: James Edwards <jedwards@sos.state.tx.us>
Date: Wed, 1 Sep 1999 07:39:59 -0500
Cc: Checkpoint Mailing List <fw-1-mailinglist@lists.us.checkpoint.com>

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set. Some ]
    [ characters may be displayed incorrectly. ]


I recently put my firewall into production and started dumping the logs into
an Oracle database for analysis (I will be glad to email the data structure
and control file to anyone who wants it).  I noticed right away that the
fields aren't always consistent.  

However, the problem only seems to be with the last few fields.  I have been
gathering data for the past 3 weeks and the first 16 fields seem to remain
constant.  I have been compiling a daily list of the field structure based
on the first record in the log export.  Here is the data from the last three
weeks.

num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;
s_port;len;rule;icmp-type;icmp-code;sys_msgs
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;
s_port;len;rule;icmp-type;icmp-code;sys_msgs
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;
s_port;len;rule;icmp-type;icmp-code;reason;reason:;port:;user;sys_msgs
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;
s_port;len;rule;icmp-type;icmp-code;reason;sys_msgs
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;
s_port;len;rule;icmp-type;icmp-code;reason:;port:;sys_msgs
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;
s_port;len;rule;icmp-type;icmp-code;sys_msgs
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;
s_port;len;rule;icmp-type;icmp-code;reason:;port:;user;reason;sys_msgs
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;
s_port;len;rule;icmp-type;icmp-code;reason:;sys_msgs
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;
s_port;len;rule;icmp-type;icmp-code;sys_msgs
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;
s_port;len;rule;icmp-type;icmp-code;reason:;port:;sys_msgs
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;
s_port;len;rule;icmp-type;icmp-code;sys_msgs
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;
s_port;len;rule;icmp-type;icmp-code;sys_msgs
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;
s_port;len;rule;icmp-type;icmp-code;sys_msgs
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;
s_port;len;rule;icmp-type;icmp-code;reason:;port:;sys_msgs
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;
s_port;len;rule;icmp-type;icmp-code;reason:;port:;sys_msgs
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;
s_port;len;rule;icmp-type;icmp-code;sys_msgs
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;
s_port;len;rule;icmp-type;icmp-code;sys_msgs
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;
s_port;len;rule;icmp-type;icmp-code;sys_msgs
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;
s_port;len;rule;icmp-type;icmp-code;sys_msgs

>From this output it looks like the first 18 fields are good but before I
started recording the output, I had instances where the two icmp fields were
not present.  I have opened a trouble ticket with Checkpoint on this problem
and will keep you all posted.

Jim Edwards
Systems Manager
Texas Secretary of State
jedwards@sos.state.tx.us


-----Original Message-----
From: Michael Sleeper [mailto:Sleeper@co.richmond.ga.us]
Sent: Wednesday, September 01, 1999 7:02 AM
To: 'John Horn'; Darius Basil Fan
Cc: Checkpoint Mailing List
Subject: RE: [FW1] Firewall Log analyser



PERL works great!  

Unfortunately (as some of us are discovering), the output generated by
fw export is not always consistent.  The order of the fields appears to
change.  I haven't taken the time to find out what triggers the output
change, but maybe others on this list may have a bit more insight on the
matter.

=============================
Mike Sleeper
System Administrator
Information Technology
Augusta-Richmond County Government
http://www.co.richmond.ga.us
=============================

-----Original Message-----
From: John Horn [mailto:jhorn1@desperate.ci.tucson.az.us]
Sent: Tuesday, August 31, 1999 7:16 PM
To: Darius Basil Fan
Cc: Checkpoint Mailing List
Subject: Re: [FW1] Firewall Log analyser



On Tue, 31 Aug 1999, Darius Basil Fan wrote:

> 
> Hi,
> 
> I'm looking for a 3rd party software to analyse the log file generated
> by Checkpoint FireWall-1.
> 
> This software should be able to support generation of reports.
> 
> Does anyone in this list know of any software to do this?

Yes. Perl works extremely well.


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Log Viewer problem
Next by Date: [FW1] outbound client auth taking effect inbound also.
Prev by thread: Re: [FW1] Firewall Log analyser
Next by thread: RE: [FW1] Firewall Log analyser
Index(es):
- Date
- Thread