Hi.
I have a Checkpoint firewall managed by my WAN provider, and would like to be able to do more with the logs than the default GUI allows me. They will not let me connect directly to the boxes(they want to sell me an additional management/reporting service), but I've been able to get them to ftp the logs out for me.
Sadly, the format of the files isn't humanly readable - can Splunk read them or does anybody here know a tool that can convert them to something Splunk-readable?
Or am I going at this the wrong way? Am I trying to something that's not possible?
Kind regards
Kjetil Thorstensen
kjetil,
I would suggest having your Firewall management vendor follow the instructions in the link about and sending Syslog directly to you. This way you get real time logs, and you will have the fw1 logs and the audit logs.
Sample:
Jul 6 21:03:56 cpmodule fw1log: 27Jun2012 18:41:41 drop 192.168.100.77 <eth0 TCP packet out of state: First packet isn't SYN; tcp_flags: FIN-ACK; src: 192.168.100.77; dst: 184.178.98.215; proto: tcp; product: VPN-1 & FireWall-1; service: 80; s_port: 51854;
Jul 6 21:03:56 cpmodule fw1log: 27Jun2012 18:41:48 drop 192.168.100.77 <eth0 TCP packet out of state: First packet isn't SYN; tcp_flags: FIN-ACK; src: 192.168.100.77; dst: 184.178.98.215; proto: tcp; product: VPN-1 & FireWall-1; service: 80; s_port: 51854;
If possible, you could have them export the logs to files with the fw log command. They would need to set the file location in /etc/syslog.conf and then run a command like:
fw log -pln fw.log | grep --line-buffered -v ^$ | logger -p local.0.crit -t fw1log
This would put the logs in the same format as what you will received when receiving logs from the remote management server.
Thanks - I've already asked them to give me a quote, but that will unfortunately not give ne historical data, which these files will.
No matter - it's better than Checkpoint's Smartview Tracker, where you only se a day at a time....
Share and enjoy
/Kjetil
At the moment the log files were copied directly to my ftp from the Checkpoint box, without being converted first.
Do you know how they are exporting the logs? You could ask them to send the logs directly to a syslog server then forward those logs to Splunk for Indexing. There will be an app that I'm hoping to release shortly.