[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] newbie's questions about log
Oh yes, I've run 'fwstop;fwstart' to restart my FW1, and sometimes I run 'fw
load myfw1.W' to make the new added gui ip usable. But I don't know what you
refer to 'verbose logging to the console'. Is there a switch to turn on/off
it?
I've tried it again (run 'fwstop;fwstart') just now, and these files
appeared.
-rw-rw-rw- 1 root root 0 Aug 23 12:45
ela_08232000_044523.alog
-rw-rw-rw- 1 root root 4096 Aug 23 12:45
ela_08232000_044523.alogptr
-rw-rw-rw- 1 root root 4076 Aug 23 12:45
ela_08232000_044523.log
-rw-rw-rw- 1 root root 4096 Aug 23 12:45
ela_08232000_044523.logptr
-rw-rw-rw- 1 root root 0 Aug 23 12:45
ela_08232000_044523.vlog
-rw-rw-rw- 1 root root 4096 Aug 23 12:45
ela_08232000_044523.vlogptr
Then I run 'fw log ela_08232000_044523.log' and 'fw log
ela_08232000_044523.vlog', found they include nothing.
But some of the other 'ela' log files appeared before include something, and
seem recorded attacking actions.
I've list some of them in the attachment. If you have time, would pls take a
look in it.
Thanks a lot.
Winway
----- Original Message -----
From: "Carl E. Mankinen" <[email protected]>
To: "Reed Mohn, Anders" <[email protected]>; "'Winway'"
<[email protected]>
Sent: Thursday, August 23, 2001 5:16 AM
Subject: Re: [FW1] newbie's questions about log
> Extended Logging Authority/Agent.
>
> Have you ever done a manual start of fw.exe and turned on verbose logging
to the console as opposed to the log/mgmt server? Wow,
> there is a TON of stuff that you can log that never goes to the standard
log files. Like all the nitty gritty details of key
> exchanges etc.
>
> Only problem is you have to pipe all this to a file and as a result you
can't see any of it realtime...and if you try to view on pfm
> console, it scrolls by at light speed.
>
> ----- Original Message -----
> From: "Reed Mohn, Anders" <[email protected]>
> To: "'Winway'" <[email protected]>;
<[email protected]>
> Sent: Tuesday, August 21, 2001 5:45 AM
> Subject: RE: [FW1] newbie's questions about log
>
>
>
>
> Hi, Winway :)
>
> > Doesn't FW1 automatically cut logs into files daily?
>
> Nope.
>
> > Should I run 'fw logswitch' manually or by crontab to do this?
>
> That's just a matter of taste, I guess.
> I find it convenient ot run it automatically every midnight. (crontab,
> or AT, rather, since I'm on NT.)
>
> > Will it cause any problem?
>
> It gets really slow to work with if it's too big, and
> bigger files are always harder to move around, and also more
> prone to becoming corrupted.
>
> > Can I and how can I cut it into pieces now?
>
> Do an "fw logexport -n" to create a text file.
> Then manually split it. (A perl script would be good for this.)
>
>
> > How these small log files appear? What does 'ela' mean?
>
> No idea, sorry..
>
> > And what are the files of '.alog', '.alogptr', '.logptr', '.logtrack',
> > '.vlog' and '.vlogptr'?
>
> .alog is the accounting log.
> The ptr-files are pointer files to the log files. What exactly they do
> to, I don't know, but I'm guessing it's and index-thing.
> If you remove a ptr file, the fw will regenerate it when accessing the
> corresponding
> log file.
>
> .vlog? No clue.
>
>
> Cheers,
> Anders :)
>
>
>
============================================================================
====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
>
>
myfw1# pwd
/var/opt/CPfw1-41/log
myfw1# ls -l
.
.
.
-rw-rw-rw- 1 root root 0 Aug 15 10:20 ela_08152000_022001.alog
-rw-rw-rw- 1 root root 4096 Aug 15 10:20 ela_08152000_022001.alogptr
-rw-rw-rw- 1 root root 8432 Aug 15 10:20 ela_08152000_022001.log
-rw-rw-rw- 1 root root 4104 Aug 15 10:20 ela_08152000_022001.logptr
-rw-rw-rw- 1 root root 64 Aug 15 10:24 ela_08152000_022001.vlog
-rw-rw-rw- 1 root root 4104 Aug 15 10:24 ela_08152000_022001.vlogptr
-rw-rw-rw- 1 root root 4340 Aug 15 10:24 ela_08152000_022430.log
-rw-rw-rw- 1 root root 4108 Aug 15 10:25 ela_08152000_022430.logptr
-rw-rw-rw- 1 root root 0 Aug 18 15:54 ela_08182000_075400.alog
-rw-rw-rw- 1 root root 4096 Aug 18 15:54 ela_08182000_075400.alogptr
-rw-rw-rw- 1 root root 4076 Aug 18 15:54 ela_08182000_075400.log
-rw-rw-rw- 1 root root 4096 Aug 18 15:54 ela_08182000_075400.logptr
-rw-rw-rw- 1 root root 0 Aug 18 15:54 ela_08182000_075400.vlog
-rw-rw-rw- 1 root root 4096 Aug 18 15:54 ela_08182000_075400.vlogptr
.
.
.
myfw1# fw log ela_08152000_022001.log
Date: Aug 8, 2000
11:19:54 accept localhost >daemon alert product MAD proto ip src ns.sta.net.cn dst myfw1 additionals: attack=blocked_connection_port_scanning
Date: Aug 10, 2000
19:00:17 accept localhost >daemon alert product MAD proto ip src ns3.bta.net.cn dst myfw1natstatic additionals: attack=blocked_connection_port_scanning
myfw1# fw log ela_08152000_022001.vlog
Date: Aug 15, 2000
10:20:01 ctl localhost >daemon log server 127.0.0.1 went down
10:24:30 ctl myfw1 >daemon log server 127.0.0.1 went down
myfw1# fw log ela_08152000_022430.log
Date: Aug 15, 2000
10:20:01 ctl localhost >daemon log server 127.0.0.1 went down
10:20:31 act31 myfw1 >daemon product ELA PROXY message : Redirected 8 logs to local log file ela_08152000_022001 under /opt/CPfw1-41/log proto ip user ELA SERVER
10:24:30 ctl myfw1 >daemon log server 127.0.0.1 went down
myfw1# fw log ela_08182000_075400.log
myfw1# fw log ela_08182000_075400.vlog
myfw1#
