Splunk Search

Read/convert Checkpoint log files

New Member

Hi.

I have a Checkpoint firewall managed by my WAN provider, and would like to be able to do more with the logs than the default GUI allows me. They will not let me connect directly to the boxes(they want to sell me an additional management/reporting service), but I've been able to get them to ftp the logs out for me.

Sadly, the format of the files isn't humanly readable - can Splunk read them or does anybody here know a tool that can convert them to something Splunk-readable?

Or am I going at this the wrong way? Am I trying to something that's not possible?

Kind regards
Kjetil Thorstensen

Tags (1)
0 Karma

Contributor

kjetil,

I would suggest having your Firewall management vendor follow the instructions in the link about and sending Syslog directly to you. This way you get real time logs, and you will have the fw1 logs and the audit logs.

0 Karma

Contributor

Sample:
Jul 6 21:03:56 cpmodule fw1log: 27Jun2012 18:41:41 drop 192.168.100.77 <eth0 TCP packet out of state: First packet isn't SYN; tcp_flags: FIN-ACK; src: 192.168.100.77; dst: 184.178.98.215; proto: tcp; product: VPN-1 & FireWall-1; service: 80; s_port: 51854;
Jul 6 21:03:56 cpmodule fw1log: 27Jun2012 18:41:48 drop 192.168.100.77 <eth0 TCP packet out of state: First packet isn't SYN; tcp_flags: FIN-ACK; src: 192.168.100.77; dst: 184.178.98.215; proto: tcp; product: VPN-1 & FireWall-1; service: 80; s_port: 51854;

0 Karma

Contributor

If possible, you could have them export the logs to files with the fw log command. They would need to set the file location in /etc/syslog.conf and then run a command like:

fw log -pln fw.log | grep --line-buffered -v ^$ | logger -p local.0.crit -t fw1log

This would put the logs in the same format as what you will received when receiving logs from the remote management server.

0 Karma

New Member

Thanks - I've already asked them to give me a quote, but that will unfortunately not give ne historical data, which these files will.

No matter - it's better than Checkpoint's Smartview Tracker, where you only se a day at a time....

Share and enjoy
/Kjetil

0 Karma

New Member

At the moment the log files were copied directly to my ftp from the Checkpoint box, without being converted first.

0 Karma

Contributor

Do you know how they are exporting the logs? You could ask them to send the logs directly to a syslog server then forward those logs to Splunk for Indexing. There will be an app that I'm hoping to release shortly.

http://www.hurricanelabs.com/splunking-check-point/

0 Karma