Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunking Checkpoint firewall audit log

alextsui
Path Finder
‎04-29-2010 06:02 PM

Hello, Is there a way I can configure the lea-loggrabber-splunk to collect Checkpoint's audit log(audit.log), instead of the default collection on traffic log(fw1.log)? I am using the lea-loggrabber-splunk downloaded from http://www.splunk.com/wiki/Apps:Configure_OPSEC_LEA_input

Also, I noticed that the Offline Mode was used as the collection method. Was there a reason why the Offline Mode was preferred over the Online Mode?

thanks

Reply
1 Solution
Solved! Jump to solution
Solution

Chubbybunny
Splunk Employee
Splunk Employee
‎06-21-2011 04:14 PM

haven't had any luck getting the splunk lea_loggrabber to retrieve audit logs, but was able to get it using the FW1-loggrabber binary

http://sourceforge.net/projects/fw1-loggrabber

FW1-Loggrabber>fw ver
This is Check Point VPN-1(TM) & FireWall-1(R) R75 - Build 254

    [root@localhost etc]# ../bin/fw1-loggrabber
    loc=151|time=2011-06-21 15:57:49|action=accept|orig=172.16.12.202|i/f_dir=outbound|i/f_name=|has_accounting=0|uuid=<00000000,00000000,00000000,00000000>|product=SmartDashboard|Operation=Log Out|Administrator=admin|Machine=WIN-BVJQ2GHXBVN|Subject=Administrator Login|Operation Number=12
[root@localhost etc]# grep audit fw1-loggrabber.conf
FW1_LOGFILE="audit.log"
# FW1_MODE=<audit|normal>
FW1_MODE="audit"

View solution in original post

Reply
Solved! Jump to solution

Chubbybunny
Splunk Employee
Splunk Employee
‎06-23-2011 09:59 AM 
[root@localhost default]# cat /opt/splunk/etc/apps/fw1-loggrabber/bin/fw1-loggrabber.sh; /opt/splunk/etc/apps/fw1-loggrabber/bin/fw1-loggrabber.sh |head -n 1; cat /opt/splunk/etc/apps/fw1-loggrabber/default/fw1-loggrabber.conf
#!/bin/bash

cd /opt/splunk/etc/apps/fw1-loggrabber/bin
./fw1-loggrabber -l /opt/splunk/etc/apps/fw1-loggrabber/default/lea.conf -c /opt/splunk/etc/apps/fw1-loggrabber/default/fw1-loggrabber.conf
loc=0|time=1308349341|action=accept|orig=172.16.12.202|i/f_dir=outbound|i/f_name=|has_accounting=0|uuid=<00000000,00000000,00000000,00000000>|product=FWM|ObjectName=WIN-BVJQ2GHXBVN|ObjectType=gateway_ckp|ObjectTable=network_objects|Operation=Create Object|Uid={7E101A87-F44F-4D4B-B34E-41A2F38B8768}|Administrator=Security Management Server|Machine=localhost|Subject=Object Manipulation|Operation Number=0|FieldsChanges=IP Address: '172.16.12.202'; 
# DEBUG_LEVEL=<debuglevel>
DEBUG_LEVEL="0"

#
# FW1 configuration settings
#
# FW1_LOGFILE=<Name of FW1-Logfilename>
FW1_LOGFILE="audit.log"

# FW1_OUTPUT=<files|logs>
FW1_OUTPUT="logs"

# FW1_TYPE=<ng|2000>
FW1_TYPE="ng"

# FW1_MODE=<audit|normal>
FW1_MODE="audit"

# ONLINE_MODE=<yes|no>
ONLINE_MODE="no"

# RESOLVE_MODE=<yes|no>
RESOLVE_MODE="no"

# SHOW_FIELDNAMES=<yes|no>
SHOW_FIELDNAMES="yes"

# RECORD_SEPARATOR=<char>
RECORD_SEPARATOR="|"

# DATEFORMAT=<cp|unix|std>
#   cp   = " 3Feb2004 14:15:16"
#   unix = "1051655431"
#   std  = "2004-02-03 14:15:16"
DATEFORMAT="unix"

# LOGGING_CONFIGURATION=<screen|file|syslog|odbc>
# syslog mode is only Unix like Operating Systems, such as Linux, Solaris
LOGGING_CONFIGURATION=screen

# OUTPUT_FILE_PREFIX=<Path and Name of outputfile>
OUTPUT_FILE_PREFIX="fw1-loggrabber"

# OUTPUT_FILE_ROTATESIZE=<maximum size of outputfile in bytes>
OUTPUT_FILE_ROTATESIZE=1048576

# SYSLOG_FACILITY=<USER|LOCAL0|...|LOCAL7>
SYSLOG_FACILITY="LOCAL1"

# ODBC_DSN=<dsn>
#ODBC_DSN=FW1-LOGGRABBER

# FW1_FILTER_RULE=<rule>
#FW1_FILTER_RULE="action=drop"

# AUDIT_FILTER_RULE=<rule>
#AUDIT_FILTER_RULE="action=accept"

# FIELDS=<field1;field2;...>
#FIELDS=loc;src;dst

[root@localhost default]#

is that a possible typo in your configuration file?
One awesome feature is the ability to pass options instead to troubleshoot.

[root@localhost default]# /opt/splunk/etc/apps/fw1-loggrabber/bin/fw1-loggrabber --help

FW1-Loggrabber v1.11.1 (no ODBC-support)
    (C)2005, Torsten Fellhauer, Xiaodong Lin

Usage:
 /opt/splunk/etc/apps/fw1-loggrabber/bin/fw1-loggrabber [ options ]
  -c|--configfile <file>     : Name of Configfile (default: fw1-loggrabber.conf)
  -l|--leaconfigfile <file>  : Name of Leaconfigfile (default: lea.conf)
  -f|--logfile Logfile|ALL   : Name of Logfile (default: fw.log)
  --resolve|--no-resolve     : Resolve Port Numbers and IP-Addresses (Default: Resolve)
  --showfiles|--showlogs     : Show only Filenames of all available FW-1 Logfiles (default: showlogs)
  --2000|--ng                : Connect to a CP FW-1 4.1 (2000) (default is ng)
  --filter "..."             : Specify filters to be applied
  --fields "..."             : Specify fields to be printed
  --online|--no-online       : Enable Online mode (default: no-online)
  --auditlog|--normallog     : Get data of audit-logfile (fw.adtlog)(default: normallog)
  --fieldnames|--nofieldnames: Print fieldnames in each line or once at beginning
  --debug-level <level>      : Specify Debuglevel (default: 0 - no debugging)
  --help                     : Show usage informations
  --help-fields              : Show supported log fields
[root@localhost default]#
Reply
Solved! Jump to solution

EricPartington
Communicator
‎06-23-2011 10:29 AM

Thanks, I have the same version:
FW1-Loggrabber v1.11.1 (no ODBC-support)
(C)2005, Torsten Fellhauer, Xiaodong Lin
and have had to use the command line method of specifying the options as the config file keeps mentioning invalid options.
Have you used this binary for the fw.log files as well?
do you use this binary in online or offline mode to get the audit log items?
how do you ensure that you dont get dupliate events in splunk?

0 Karma
Reply
Solved! Jump to solution
Solution

Chubbybunny
Splunk Employee
Splunk Employee
‎06-21-2011 04:14 PM

haven't had any luck getting the splunk lea_loggrabber to retrieve audit logs, but was able to get it using the FW1-loggrabber binary

http://sourceforge.net/projects/fw1-loggrabber

FW1-Loggrabber>fw ver
This is Check Point VPN-1(TM) & FireWall-1(R) R75 - Build 254

    [root@localhost etc]# ../bin/fw1-loggrabber
    loc=151|time=2011-06-21 15:57:49|action=accept|orig=172.16.12.202|i/f_dir=outbound|i/f_name=|has_accounting=0|uuid=<00000000,00000000,00000000,00000000>|product=SmartDashboard|Operation=Log Out|Administrator=admin|Machine=WIN-BVJQ2GHXBVN|Subject=Administrator Login|Operation Number=12
[root@localhost etc]# grep audit fw1-loggrabber.conf
FW1_LOGFILE="audit.log"
# FW1_MODE=<audit|normal>
FW1_MODE="audit"
Reply
Solved! Jump to solution

spencers
Explorer
‎11-01-2011 06:19 AM

Could your typo be a missing quotation mark between the equals sign and the lowercase letter "a"? 😄

FW1_MODE=audit"

0 Karma
Reply
Solved! Jump to solution

EricPartington
Communicator
‎06-22-2011 08:21 PM

Can you share more details about how you are running the fw1-loggrabber binary? I am trying to use the latest version 1.11.1 on linux
i am getting errors about illegal entries in fw1-loggrabber.conf file
WARNING: Illegal entry in configuration file: FW1_MODE=audit"

the only entries that dont cause error messages are:
DEBUG_LEVEL="3"
FW1_LOGFILE="audit.log"
RECORD_SEPARATOR="|"

the rest have to be set via command line:
./fw1-loggrabber --resolve --showlogs (the lea.conf and fw1-loggrabber.conf are in local directory)
looking forward to your answers

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...