Getting Data In

Splunking Checkpoint firewall audit log

Path Finder

Hello, Is there a way I can configure the lea-loggrabber-splunk to collect Checkpoint's audit log(audit.log), instead of the default collection on traffic log(fw1.log)? I am using the lea-loggrabber-splunk downloaded from http://www.splunk.com/wiki/Apps:Configure_OPSEC_LEA_input

Also, I noticed that the Offline Mode was used as the collection method. Was there a reason why the Offline Mode was preferred over the Online Mode?

thanks

1 Solution

Splunk Employee
Splunk Employee

haven't had any luck getting the splunk lea_loggrabber to retrieve audit logs, but was able to get it using the FW1-loggrabber binary

http://sourceforge.net/projects/fw1-loggrabber

FW1-Loggrabber>fw ver
This is Check Point VPN-1(TM) & FireWall-1(R) R75 - Build 254

    [root@localhost etc]# ../bin/fw1-loggrabber
    loc=151|time=2011-06-21 15:57:49|action=accept|orig=172.16.12.202|i/f_dir=outbound|i/f_name=|has_accounting=0|uuid=<00000000,00000000,00000000,00000000>|product=SmartDashboard|Operation=Log Out|Administrator=admin|Machine=WIN-BVJQ2GHXBVN|Subject=Administrator Login|Operation Number=12
[root@localhost etc]# grep audit fw1-loggrabber.conf
FW1_LOGFILE="audit.log"
# FW1_MODE=<audit|normal>
FW1_MODE="audit"

View solution in original post

Splunk Employee
Splunk Employee
[root@localhost default]# cat /opt/splunk/etc/apps/fw1-loggrabber/bin/fw1-loggrabber.sh; /opt/splunk/etc/apps/fw1-loggrabber/bin/fw1-loggrabber.sh |head -n 1; cat /opt/splunk/etc/apps/fw1-loggrabber/default/fw1-loggrabber.conf
#!/bin/bash

cd /opt/splunk/etc/apps/fw1-loggrabber/bin
./fw1-loggrabber -l /opt/splunk/etc/apps/fw1-loggrabber/default/lea.conf -c /opt/splunk/etc/apps/fw1-loggrabber/default/fw1-loggrabber.conf
loc=0|time=1308349341|action=accept|orig=172.16.12.202|i/f_dir=outbound|i/f_name=|has_accounting=0|uuid=<00000000,00000000,00000000,00000000>|product=FWM|ObjectName=WIN-BVJQ2GHXBVN|ObjectType=gateway_ckp|ObjectTable=network_objects|Operation=Create Object|Uid={7E101A87-F44F-4D4B-B34E-41A2F38B8768}|Administrator=Security Management Server|Machine=localhost|Subject=Object Manipulation|Operation Number=0|FieldsChanges=IP Address: '172.16.12.202'; 
# DEBUG_LEVEL=<debuglevel>
DEBUG_LEVEL="0"

#
# FW1 configuration settings
#
# FW1_LOGFILE=<Name of FW1-Logfilename>
FW1_LOGFILE="audit.log"

# FW1_OUTPUT=<files|logs>
FW1_OUTPUT="logs"

# FW1_TYPE=<ng|2000>
FW1_TYPE="ng"

# FW1_MODE=<audit|normal>
FW1_MODE="audit"

# ONLINE_MODE=<yes|no>
ONLINE_MODE="no"

# RESOLVE_MODE=<yes|no>
RESOLVE_MODE="no"

# SHOW_FIELDNAMES=<yes|no>
SHOW_FIELDNAMES="yes"

# RECORD_SEPARATOR=<char>
RECORD_SEPARATOR="|"

# DATEFORMAT=<cp|unix|std>
#   cp   = " 3Feb2004 14:15:16"
#   unix = "1051655431"
#   std  = "2004-02-03 14:15:16"
DATEFORMAT="unix"

# LOGGING_CONFIGURATION=<screen|file|syslog|odbc>
# syslog mode is only Unix like Operating Systems, such as Linux, Solaris
LOGGING_CONFIGURATION=screen

# OUTPUT_FILE_PREFIX=<Path and Name of outputfile>
OUTPUT_FILE_PREFIX="fw1-loggrabber"

# OUTPUT_FILE_ROTATESIZE=<maximum size of outputfile in bytes>
OUTPUT_FILE_ROTATESIZE=1048576

# SYSLOG_FACILITY=<USER|LOCAL0|...|LOCAL7>
SYSLOG_FACILITY="LOCAL1"

# ODBC_DSN=<dsn>
#ODBC_DSN=FW1-LOGGRABBER

# FW1_FILTER_RULE=<rule>
#FW1_FILTER_RULE="action=drop"

# AUDIT_FILTER_RULE=<rule>
#AUDIT_FILTER_RULE="action=accept"

# FIELDS=<field1;field2;...>
#FIELDS=loc;src;dst

[root@localhost default]# 

is that a possible typo in your configuration file?
One awesome feature is the ability to pass options instead to troubleshoot.

[root@localhost default]# /opt/splunk/etc/apps/fw1-loggrabber/bin/fw1-loggrabber --help

FW1-Loggrabber v1.11.1 (no ODBC-support)
    (C)2005, Torsten Fellhauer, Xiaodong Lin

Usage:
 /opt/splunk/etc/apps/fw1-loggrabber/bin/fw1-loggrabber [ options ]
  -c|--configfile <file>     : Name of Configfile (default: fw1-loggrabber.conf)
  -l|--leaconfigfile <file>  : Name of Leaconfigfile (default: lea.conf)
  -f|--logfile Logfile|ALL   : Name of Logfile (default: fw.log)
  --resolve|--no-resolve     : Resolve Port Numbers and IP-Addresses (Default: Resolve)
  --showfiles|--showlogs     : Show only Filenames of all available FW-1 Logfiles (default: showlogs)
  --2000|--ng                : Connect to a CP FW-1 4.1 (2000) (default is ng)
  --filter "..."             : Specify filters to be applied
  --fields "..."             : Specify fields to be printed
  --online|--no-online       : Enable Online mode (default: no-online)
  --auditlog|--normallog     : Get data of audit-logfile (fw.adtlog)(default: normallog)
  --fieldnames|--nofieldnames: Print fieldnames in each line or once at beginning
  --debug-level <level>      : Specify Debuglevel (default: 0 - no debugging)
  --help                     : Show usage informations
  --help-fields              : Show supported log fields
[root@localhost default]# 

Communicator

Thanks, I have the same version:
FW1-Loggrabber v1.11.1 (no ODBC-support)
(C)2005, Torsten Fellhauer, Xiaodong Lin
and have had to use the command line method of specifying the options as the config file keeps mentioning invalid options.
Have you used this binary for the fw.log files as well?
do you use this binary in online or offline mode to get the audit log items?
how do you ensure that you dont get dupliate events in splunk?

0 Karma

Splunk Employee
Splunk Employee

haven't had any luck getting the splunk lea_loggrabber to retrieve audit logs, but was able to get it using the FW1-loggrabber binary

http://sourceforge.net/projects/fw1-loggrabber

FW1-Loggrabber>fw ver
This is Check Point VPN-1(TM) & FireWall-1(R) R75 - Build 254

    [root@localhost etc]# ../bin/fw1-loggrabber
    loc=151|time=2011-06-21 15:57:49|action=accept|orig=172.16.12.202|i/f_dir=outbound|i/f_name=|has_accounting=0|uuid=<00000000,00000000,00000000,00000000>|product=SmartDashboard|Operation=Log Out|Administrator=admin|Machine=WIN-BVJQ2GHXBVN|Subject=Administrator Login|Operation Number=12
[root@localhost etc]# grep audit fw1-loggrabber.conf
FW1_LOGFILE="audit.log"
# FW1_MODE=<audit|normal>
FW1_MODE="audit"

View solution in original post

Explorer

Could your typo be a missing quotation mark between the equals sign and the lowercase letter "a"? 😄

FW1_MODE=audit"

0 Karma

Communicator

Can you share more details about how you are running the fw1-loggrabber binary? I am trying to use the latest version 1.11.1 on linux
i am getting errors about illegal entries in fw1-loggrabber.conf file
WARNING: Illegal entry in configuration file: FW1_MODE=audit"

the only entries that dont cause error messages are:
DEBUGLEVEL="3"
FW1
LOGFILE="audit.log"
RECORD_SEPARATOR="|"

the rest have to be set via command line:
./fw1-loggrabber --resolve --showlogs (the lea.conf and fw1-loggrabber.conf are in local directory)
looking forward to your answers

0 Karma