Security Basics mailing list archives

Re: Checkpoint Fw1 syslog logging. Any solution ?

From: Rajeev Kumar <rajeev () rajeevnet com>
Date: Mon, 26 Sep 2005 13:24:35 -0400

I have cooked some solution (Sorry this is only for Linux/Unix type ofservers as it is based on logger. Unless you want to install cygwin onyour windows server and run this script via cygwin shell) Hope this mayhelp others. You can fine tune fw log -f -t ... command in the scriptbelow to suit your need.


To start
/etc/init.d/checkpoint_fwlogs start
To stop
/etc/init.d/checkpoint_fwlogs stop

-------------------------------------------------------------------------

(*)Boot script (put under /etc/init.d/checkpoint_fwlogs , run chkconfig etc)
-------------------------------------------------------------------------
#!/bin/sh
# rajeev () rajeevnet com (Sept/22/2005)
# chkconfig: - 99 30
# description: This is a checkpoint logger to syslog


#- Logger
LOGGER="/usr/bin/logger"
#- Local command errors goes to file
LOCAL_ERRORS="/var/log/checkpoint_fw.log"
#- Syslog Facility
FACILITY="user"
#- Syslog Level
LEVEL="alert"
#--- If you want to collect these logs in different file on your
#--- syslog server
#---- define something like below. Assuming user.alert syslog facilit.
#user.alert                     /var/log/checkpoint_fw.log


##--- No Need to modify below this ------------------------##
#-Check if any other fw log process is running
OLD_PID=`ps -ef | grep "fw log" |grep -v grep |  awk '{print $2}'`

case "$1" in
 'start')
     if [ $OLD_PID ]; then
       echo "!!!------------------------------------------!!!!!"

echo " ALERT:: Another log process is running with pid$OLD_PID . First kill that process. Exiting..."

       echo "!!!------------------------------------------!!!!!"
         exit 1
     fi
        echo "Sending Checkpoint logs to syslog .."
        #Throw all logs to syslog.

$FWDIR/bin/fw log -f -t -l -o 2>>$LOCAL_ERRORS | $LOGGER -p$FACILITY.$LEVEL >/dev/null 2>&1 &

        ;;

'stop')
        if [ $OLD_PID ]; then
         echo "Killing fw log process with PID $OLD_PID"
         kill $OLD_PID
        fi
         echo "Stopped ......"
        ;;

*)      echo "Usage: $0 { start | stop }"
        ;;

esac
------------------------------------------------------------------------------

Hope this helps.

Rajeev K.

contrera () eig unige ch wrote:

Hi,

I need to redirect my checkpoint firewall logs to a syslog server.

I've founded the following url that describe a trick for being able to redirect the fw1 log to syslog but it works only 
on Linux : http://wyae.de/docs/fw1syslog.php

My checkpoint host is on windows so i can't use this.
Someone knows a solution for a windows host ?

Thanks a lot

Current thread:

Checkpoint Fw1 syslog logging. Any solution ? contrera (Sep 22)
- Re: Checkpoint Fw1 syslog logging. Any solution ? Tom Van de Wiele (Sep 26)
- Re: Checkpoint Fw1 syslog logging. Any solution ? xyberpix (Sep 26)
- Re: Checkpoint Fw1 syslog logging. Any solution ? Rajeev Kumar (Sep 26)
- <Possible follow-ups>
- Re: Checkpoint Fw1 syslog logging. Any solution ? contrera (Sep 26)
  - Re: Checkpoint Fw1 syslog logging. Any solution ? Chris Clymer (Sep 28)