Splunk Search

Read/convert Checkpoint log files

kjetil
New Member

Hi.

I have a Checkpoint firewall managed by my WAN provider, and would like to be able to do more with the logs than the default GUI allows me. They will not let me connect directly to the boxes(they want to sell me an additional management/reporting service), but I've been able to get them to ftp the logs out for me.

Sadly, the format of the files isn't humanly readable - can Splunk read them or does anybody here know a tool that can convert them to something Splunk-readable?

Or am I going at this the wrong way? Am I trying to something that's not possible?

Kind regards
Kjetil Thorstensen

Tags (1)
0 Karma

jgedeon120
Contributor

kjetil,

I would suggest having your Firewall management vendor follow the instructions in the link about and sending Syslog directly to you. This way you get real time logs, and you will have the fw1 logs and the audit logs.

0 Karma

jgedeon120
Contributor

Sample:
Jul 6 21:03:56 cpmodule fw1log: 27Jun2012 18:41:41 drop 192.168.100.77 <eth0 TCP packet out of state: First packet isn't SYN; tcp_flags: FIN-ACK; src: 192.168.100.77; dst: 184.178.98.215; proto: tcp; product: VPN-1 & FireWall-1; service: 80; s_port: 51854;
Jul 6 21:03:56 cpmodule fw1log: 27Jun2012 18:41:48 drop 192.168.100.77 <eth0 TCP packet out of state: First packet isn't SYN; tcp_flags: FIN-ACK; src: 192.168.100.77; dst: 184.178.98.215; proto: tcp; product: VPN-1 & FireWall-1; service: 80; s_port: 51854;

0 Karma

jgedeon120
Contributor

If possible, you could have them export the logs to files with the fw log command. They would need to set the file location in /etc/syslog.conf and then run a command like:

fw log -pln fw.log | grep --line-buffered -v ^$ | logger -p local.0.crit -t fw1log

This would put the logs in the same format as what you will received when receiving logs from the remote management server.

0 Karma

kjetil
New Member

Thanks - I've already asked them to give me a quote, but that will unfortunately not give ne historical data, which these files will.

No matter - it's better than Checkpoint's Smartview Tracker, where you only se a day at a time....

Share and enjoy
/Kjetil

0 Karma

kjetil
New Member

At the moment the log files were copied directly to my ftp from the Checkpoint box, without being converted first.

0 Karma

jgedeon120
Contributor

Do you know how they are exporting the logs? You could ask them to send the logs directly to a syslog server then forward those logs to Splunk for Indexing. There will be an app that I'm hoping to release shortly.

http://www.hurricanelabs.com/splunking-check-point/

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...