Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Read/convert Checkpoint log files

kjetil
New Member
‎07-05-2012 12:00 AM

Hi.

I have a Checkpoint firewall managed by my WAN provider, and would like to be able to do more with the logs than the default GUI allows me. They will not let me connect directly to the boxes(they want to sell me an additional management/reporting service), but I've been able to get them to ftp the logs out for me.

Sadly, the format of the files isn't humanly readable - can Splunk read them or does anybody here know a tool that can convert them to something Splunk-readable?

Or am I going at this the wrong way? Am I trying to something that's not possible?

Kind regards
Kjetil Thorstensen

Tags (1)
0 Karma
Reply

jgedeon120
Contributor
‎07-06-2012 03:36 AM

kjetil,

I would suggest having your Firewall management vendor follow the instructions in the link about and sending Syslog directly to you. This way you get real time logs, and you will have the fw1 logs and the audit logs.

0 Karma
Reply

jgedeon120
Contributor
‎07-06-2012 02:12 PM

Sample:
Jul 6 21:03:56 cpmodule fw1log: 27Jun2012 18:41:41 drop 192.168.100.77 <eth0 TCP packet out of state: First packet isn't SYN; tcp_flags: FIN-ACK; src: 192.168.100.77; dst: 184.178.98.215; proto: tcp; product: VPN-1 & FireWall-1; service: 80; s_port: 51854;
Jul 6 21:03:56 cpmodule fw1log: 27Jun2012 18:41:48 drop 192.168.100.77 <eth0 TCP packet out of state: First packet isn't SYN; tcp_flags: FIN-ACK; src: 192.168.100.77; dst: 184.178.98.215; proto: tcp; product: VPN-1 & FireWall-1; service: 80; s_port: 51854;

0 Karma
Reply

jgedeon120
Contributor
‎07-06-2012 02:12 PM

If possible, you could have them export the logs to files with the fw log command. They would need to set the file location in /etc/syslog.conf and then run a command like:

fw log -pln fw.log | grep --line-buffered -v ^$ | logger -p local.0.crit -t fw1log

This would put the logs in the same format as what you will received when receiving logs from the remote management server.

0 Karma
Reply

kjetil
New Member
‎07-06-2012 05:02 AM

Thanks - I've already asked them to give me a quote, but that will unfortunately not give ne historical data, which these files will.

No matter - it's better than Checkpoint's Smartview Tracker, where you only se a day at a time....

Share and enjoy
/Kjetil

0 Karma
Reply

kjetil
New Member
‎07-06-2012 12:48 AM

At the moment the log files were copied directly to my ftp from the Checkpoint box, without being converted first.

0 Karma
Reply

jgedeon120
Contributor
‎07-05-2012 01:45 PM

Do you know how they are exporting the logs? You could ask them to send the logs directly to a syslog server then forward those logs to Splunk for Indexing. There will be an app that I'm hoping to release shortly.

http://www.hurricanelabs.com/splunking-check-point/

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...