Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Read/convert Checkpoint log files
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Read/convert Checkpoint log files
Hi.
I have a Checkpoint firewall managed by my WAN provider, and would like to be able to do more with the logs than the default GUI allows me. They will not let me connect directly to the boxes(they want to sell me an additional management/reporting service), but I've been able to get them to ftp the logs out for me.
Sadly, the format of the files isn't humanly readable - can Splunk read them or does anybody here know a tool that can convert them to something Splunk-readable?
Or am I going at this the wrong way? Am I trying to something that's not possible?
Kind regards
Kjetil Thorstensen
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kjetil,
I would suggest having your Firewall management vendor follow the instructions in the link about and sending Syslog directly to you. This way you get real time logs, and you will have the fw1 logs and the audit logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sample:
Jul 6 21:03:56 cpmodule fw1log: 27Jun2012 18:41:41 drop 192.168.100.77 <eth0 TCP packet out of state: First packet isn't SYN; tcp_flags: FIN-ACK; src: 192.168.100.77; dst: 184.178.98.215; proto: tcp; product: VPN-1 & FireWall-1; service: 80; s_port: 51854;
Jul 6 21:03:56 cpmodule fw1log: 27Jun2012 18:41:48 drop 192.168.100.77 <eth0 TCP packet out of state: First packet isn't SYN; tcp_flags: FIN-ACK; src: 192.168.100.77; dst: 184.178.98.215; proto: tcp; product: VPN-1 & FireWall-1; service: 80; s_port: 51854;
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If possible, you could have them export the logs to files with the fw log command. They would need to set the file location in /etc/syslog.conf and then run a command like:
fw log -pln fw.log | grep --line-buffered -v ^$ | logger -p local.0.crit -t fw1log
This would put the logs in the same format as what you will received when receiving logs from the remote management server.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks - I've already asked them to give me a quote, but that will unfortunately not give ne historical data, which these files will.
No matter - it's better than Checkpoint's Smartview Tracker, where you only se a day at a time....
Share and enjoy
/Kjetil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At the moment the log files were copied directly to my ftp from the Checkpoint box, without being converted first.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you know how they are exporting the logs? You could ask them to send the logs directly to a syslog server then forward those logs to Splunk for Indexing. There will be an app that I'm hoping to release shortly.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
