Getting Data In

CheckPoint lea_loggrabber enhancement

KGolomb
Engager

The CheckPoint LEA Application (lea_loggrabber) seems to be grabbing every field that appears in the logs without putting a delimeter between the fields. In most cases this is ok but there are several fields (ex attack and Attack Info) that are not easy to parse out. Extracting values can easily get values that contains the next field name.

Example Data: (field names on bold)

Industry Reference=CVE-2008-2469 Protection Type=protection Attack Info=DNS TXT record parsing buffer overflow attack=DNS Enforcement Violation SmartDefense profile=Default_Protection_NO_NetQ

In this case if you extracted the attack field you might get "DNS Enforcement Violation SmartDefense" instead of the expected "DNS Enforcement Violation".

One solution would be to put a known delimeter such as | between the fields. I know this was an option with the fw1-loggrabber application but it has been stated that this program has stability issues.

So can you please add an option to the lea_loggrabber application to optionally add a delimeter between the grabbed fields. Or provide the sourcecode for the lea_loggrabber application so this can be done?

lea_loggrabber output would be better if like this:

|Industry Reference=CVE-2008-2469 |Protection Type=protection |Attack Info=DNS TXT record parsing buffer overflow |attack=DNS Enforcement Violation |SmartDefense profile=Default_Protection_NO_NetQ

Tags (1)

hexx
Splunk Employee
Splunk Employee

With the contribution of Splunk Answers user treyka, we we were able to patch and recompile the "lea_loggrabber" Linux binary to outputs semi-colons as delimiters between field/value pairs :

  • Before :

loc=2445861 filename=fw.log fileid=1314230340 time=25Aug2011 12:40:58 action=drop orig=FIREWALLNAME i/f_dir=inbound i/f_name=eth-s2p2c0 has_accounting=0 product=VPN-1 & FireWall-1 __policy_id_tag=product=VPN-1 & FireWall-1[db_tag={AAAAAAA-BBBBB-CCCCCC-DDDDDDD-EEEEEEEEEE};mgmt=LAB-CMA;date=1310743754;policy_name=ABCD_Policy] rule=77 rule_uid={19AD44C1-79E0-422F-91A6-FF2E6A818EEE} SmartDefense profile=No Protection src=1.2.3.4 s_port=40552 dst=4.3.2.1service=snmp-read proto=udp

  • After :

time=26Aug2011 12:34:34;action=drop;fw=1.2.3.4;if_dir=inbound;if_name=eth-s2p2c0;mgmt=LAB-CMA;policy_name=ABCD_Policy;rule=77;src=1.2.3.4;s_port=11334;dst=4.3.2.1;d_port=161;proto=udp;

In addition, this patched version of "lea_loggrabber" accepts new, mutually exclusive parameters to control the name resolution of objects :

  • The option "--resolve" will cause objects to be resolved, as is currently the case. Example :

time= 4Aug2011 22:47:52;action=accept;fw=Win2k3-86sup01;if_dir=inbound;if_name=E1G606;mgmt=Win2k3-86sup01;policy_name=Standard;rule=2;rule_name=LEA traffic;service_id=FW1_lea;src=beefysup01.splunk.com;s_port=33776;dst=Win2k3-86sup01;d_port=FW1_lea;proto=tcp;

  • The option "--no-resolve" will prevent object name resolution. Example :

time= 4Aug2011 22:47:00;action=accept;fw=10.160.31.56;if_dir=inbound;if_name=E1G606;mgmt=Win2k3-86sup01;policy_name=Standard;rule=2;rule_name=LEA traffic;service_id=FW1_lea;src=10.1.12.1;s_port=47250;dst=10.160.31.56;d_port=18184;proto=tcp;

Some important remarks :

  • This patched version of the lea_loggrabber binary is not currently integrated to the app packaged on splunkbase. It can be obtained by requesting it from Splunk Support. Please open a support case if you would like to receive it.
  • Only the Linux (32bit/64bit) version of the lea_loggrabber binary has been recompiled with this patch.
  • The patched binary will be provided "as is". It has not been tested by Splunk Quality Assurance, which is why it has not yet been integrated in the package available on splunkbase.

hexx
Splunk Employee
Splunk Employee

Some questions for you:

- On what platform have you attempted to run the modified lea_loggrabber binary?

- Do you get the "segmentation fault" error with the unmodified binary?

- What output do you see when running lea_loggrabber from the command line?

0 Karma

ksirisawatdi_sp
Splunk Employee
Splunk Employee

My customer using try this and got error message saying that "Segmentation fault". Any suggestion?

0 Karma

EricPartington
Communicator

I agree completely, the ability to define (or have a standard delimeter) for fw1-loggrabber is a bonus.

Other features that would be required, getting the audit.log file
more debug information as available in fw1-loggrabber for troubleshooting SIC issues.
the ability to resolve or not resolve the ip addresses and services so that we can get either the raw IP addresses/port numbers or the object names and service names. This would make it easier to cross reference the ip's with other firewall types that offer this ability.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...