Re: [FW-1] FW-1 Logging Inconsistencies

[Christopher Collins <Collins.Chris@FW1-NOSPAMFIN.GC.CA>]

That is pretty much what I thought I was going to have to do. I just wanted
to see if there was a fix for this nonsense.

Thanks again,

Chris

 -----Original Message-----
From:   Ray Lodato [mailto:RLodato@NEF.COM]
Sent:   Thursday, February 07, 2002 10:39 AM
To:     FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject:        Re: [FW-1] FW-1 Logging Inconsistencies

I've noticed that, too. When I set up my perl scripts to report on the logs,
I created a function to read the first line and adjust a hash to relate the
column numbers to the headings. Then I use the hash to address the data in
the following lines.

Here are some excerpts:

while (<LOGFILE>) {

        next if (/^$/);

        chop;

        if (/^num;/) {
                &ReSync($_);
                next;
        }

        # Eat any leading blanks
        s/^\s(\d:)/$1/;

        # Split the line into an array separated by whitespace
        (@logentry) = split(/;/, $_, $NumCols);

        if ($logentry[$TYPE] eq 'log' &&
            $logentry[$ACTION] ne 'authorize' &&
            $logentry[$ACTION] ne 'deauthorize') {
                $rulehash{$logentry[$ORIG]}[$logentry[$RULE]]++;
        }

        # Only accept "drop" or "reject" messages
        next if ($logentry[$ACTION] !~ 'drop|reject');

        # MORE STUFF HERE
}

close LOGFILE;

#---------------------------------------------------------------------------
---
sub ReSync {
        my ($names) = @_;       # Header line from the log file
        my $idx;                # Column index
        my $name;               # Single column name
        my %fields;             # Hash of column names to column indices

        (@names) = split(/;/,$names);   # Split the names via the
semi-colons
        $NumCols = $#names + 1; # Reset column count based on header
        $idx = 0;
        foreach $name (@names) {
                $fields{$name} = $idx++;        # Set 'num' to 0, 'date' to
1, etc.
        }
#
# Now set the global variables
#
        $ACTION   = $fields{'action'};
        $SRC      = $fields{'src'};
        $DST      = $fields{'dst'};
        $SERVICE  = $fields{'service'};
        $TYPE     = $fields{'type'};            # 1.03 - Added fields
        $ORIG     = $fields{'orig'};            # 1.03 - Added fields
        $RULE     = $fields{'rule'};            # 1.03 - Added fields
}

Ray

-----Original Message-----
From: Christopher Collins [mailto:Collins.Chris@FIN.GC.CA]
Sent: Thursday, February 07, 2002 9:40 AM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: [FW-1] FW-1 Logging Inconsistencies


I performed a FW LOGEXPORT on all my *.LOG files for the month of January
converting them to semi-colon (;) delimited text files (*.LOG.TXT).

The first line of each file contains the heading information for that
particular file. Has anyone noticed that these headings are different for
each log file in two ways?

1. The number of columns reported varies from day to day
2. The order of the columns varies from day to day

I loaded the column headings from each day into Excel to perform an analysis
and I had to stop after I got through 15 days. I had not got a single
identical logging format.

Below is an excerpt of my Excel spreadsheet showing the inconsistencies:

Date    Column 29       Column 30       Column 31       Column 32
Column 33       Column 34
9       reason: reason  port:   product additionals:    sys_msgs
10      to      message reason  sys_msgs
11      message reason  port:   product additionals:    sys_msgs
12      bytes   message icmp-type       icmp-code       reason: reason
13      icmp-code       reason  port:   product additionals:    sys_msgs
14      message reason  port:   sys_msgs

This is the first time I have really looked closely at the column headings
and it does not make sense. Is anyone else seeing this?

Cheers,

Chris

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================