[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] looking at log formats

To: [email protected]
Subject: Re: [FW-1] looking at log formats
From: Damien Hart <[email protected]>
Date: Sat, 21 Dec 2002 07:51:17 +1100
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

In my experience not only the number of fields, but the order of them can
change between log rotations - quite a pain. Fortunately though when you do a
log export it does have a header row at the top of the file.  I got around it
for my purposes by doing an export to a file then cat'ing that though an
awkscript that extracts just the fields that I want, no matter which order
they are in.  A couple of sed's later and I have the file in a standard format
that I can import into my database for processing.

The awkscript looks like this:

{if ( NR = 1 ) {

{ for ( i = 1 ; i <= NF ; i++ )
if ( $i == "date" ) date = i
else if ( $i == "time" ) time = i
else if ( $i == "src" ) src = i
else if ( $i == "dst" ) dst = i
else if ( $i == "service" ) service = i
else if ( $i == "user" ) user = i
else if ( $i == "bytes" ) bytes = i
}
}}

{ print $date";"$time";"$src";"$dst";"$service";"$user";"$bytes }

but you can add any of the other header names that you require and just change
the order of the print line.  Of course this is on Linux - SecurePlatform
actually...

If you need any more info let me know,

Damo




>Hi, all.  I've been looking at all of the various logging options for FW-1
>recently.  The $FWDIR/lib/formats.def file seems to specify the format
>fairly well (along with the FW-1 Architecture Guide's INSPECT section and
>details about the LOG macro).  I seem to remember something from my past
>where the number of fields in a log file would change for no apparent
>reason between log rotations though.  Does this ring a bell with anyone?
>
>If anyone has built a generic LEA client which may have dealt with some of
>these issues I would be interested in learning more offline.
>
>Thanks,
>
>Chris
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] Answer file with SecuRemote installation- possible??
Next by Date: Re: [FW-1] Why I'm dumping FP3 HF1 and going back to FP2
Prev by thread: Re: [FW-1] SecuRemote packaging tool
Next by thread: [FW-1] Cisco to Checkpoint VPN - My holiday wish
Index(es):
- Date
- Thread