[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] FW-1 Logs
Title: RE: [FW-1] FW-1 Logs
If I understand Gordon correctly, you're looking for a cleartext realtime dump of firewall log events, which you can do on *nix by outputting to your logger device, but you're stuck because NT has no such functionality. This is what LEA was designed for (e.g. this is how Webtrends pulls firewall info in realtime); however, you would need to develop an LEA-compliant syslog server (OPSEC SDK is available at http://www.opsec.com/opsecdownload.html), or use one that's already out there. You *may* also have success by modifying control.map to not require authentication for OPSEC connections and just getting a dump from the management station, which I would only dream of recommending if your management server is pretty well-secured (i.e. on its own segment, inside the firewall, etc).
The much cheesier fix for this would be to run fw log at intervals, output to file (NT can at least do this :), ftp the file to your syslog server, then cat the file into your logger device. As I said, clunky and horrible, but perhaps acceptable in your environment. You could automate this to some extent using at and cron.
Best of luck - let me know what you come up with...
Dan Hitchcock
CCNP, CCSE, MCSE
Security Analyst
Breakwater Security Associates, Inc.
"Safe Harbor for E-Business"
dhitchcock (at) breakwatersecurity (dot) com
http://www.breakwatersecurity.com
work
The information contained in this email message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think you have received this email message in error, please email the sender at [email protected]
-----Original Message-----
From: Juan Concepcion [mailto:[email protected]]
Sent: Monday, December 10, 2001 6:57 PM
To: [email protected]
Subject: Re: [FW-1] FW-1 Logs
If I'm not mistake you should create a 'loggers' file and populate it
with the ip of the machine that will be doing the logging for your
firewalls. It might also require you to do putkeys between the Nokia's
and the actual logger.
On Mon, 10 Dec 2001 09:34:08 +0000, Gordon Webber
<[email protected]> wrote:
>Hi,
>I am running a pair of IP440s with a management station on NT.
>We have a central syslog server (not related to these firewall, just
>general) and I want to send my FW-1 logs to it.
>When I ran only on the Nokia's (in "standalone" mode) I could use a
script
>that piped the output of a "fw log" command to the Unix "logger" and
had
>syslog.conf pointing at my syslog daemon ; but now I have no syslog
client
>function on the NT box !
>I have been scanning the net for clients but found no real solutions
>although I have seen many others asking similar questions.
>Have you any suggestions how I can achieve this ?
>Many thanks,
>Gordon
>
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>If you have any questions on how to change your
>subscription options, email Ron Alcatraz at:
>[email protected]
>=================================================
>
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
If you have any questions on how to change your
subscription options, email Ron Alcatraz at:
[email protected]
=================================================
