The CheckPoint LEA Application (lea_loggrabber) seems to be grabbing every field that appears in the logs without putting a delimeter between the fields. In most cases this is ok but there are several fields (ex attack and Attack Info) that are not easy to parse out. Extracting values can easily get values that contains the next field name.
Example Data: (field names on bold)
Industry Reference=CVE-2008-2469 Protection Type=protection Attack Info=DNS TXT record parsing buffer overflow attack=DNS Enforcement Violation SmartDefense profile=Default_Protection_NO_NetQ
In this case if you extracted the attack field you might get "DNS Enforcement Violation SmartDefense" instead of the expected "DNS Enforcement Violation".
One solution would be to put a known delimeter such as | between the fields. I know this was an option with the fw1-loggrabber application but it has been stated that this program has stability issues.
So can you please add an option to the lea_loggrabber application to optionally add a delimeter between the grabbed fields. Or provide the sourcecode for the lea_loggrabber application so this can be done?
lea_loggrabber output would be better if like this:
|Industry Reference=CVE-2008-2469 |Protection Type=protection |Attack Info=DNS TXT record parsing buffer overflow |attack=DNS Enforcement Violation |SmartDefense profile=Default_Protection_NO_NetQ
... View more