Firewall Wizards mailing list archives
Re: Log File Formats...
From: Laris Benkis <laris () ottawa com>
Date: Thu, 27 Aug 1998 09:03:50 -0400
You want to be careful with that one, some of the exported log records do not follow the specified field layout. I no longer have any examples of the odd records to show you, but once you start writing scripts to do accounting you will probably run into this problem. I never did figure out a simple algorithmic way of determining when I was dealing with a deviant record. Apparently there has been discussion about this problem lately on the CheckPoint mailing list, you may want to check there. Laris Moser, Stefan wrote:
Bret, FireWall-1 stores its log files actually in a binary format (duh!). After you export them into ASCII format, the first line will 'document' the format for individual lines: num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service; s_port;len;rule;xlatesrc;xlatedst;xlatesport;xlatedport;imp-type;icmp-code;r pc_prog;sys_msgs 0;24Aug98; 3:05:01;lns23w-0102_159.156.208.195;control;ctl;;daemon;inbound;;;;;;;;;;;;; ;;started sending log to localhost 1;24Aug98; 4:04:01;fwffm1.itffm.ska.com;log;drop;;fddi0;inbound;udp;mgmt-dummy;rtr-dumm y1;snmp;33123;69;62;;;;;;;; ......... There's also an API called LEA (log extraction API) to extract the logs directly. It's part of Checkpoint's OPSEC program, but other than that I don't know much about it. Hope this helps -Stefan On Sunday, August 23, 1998 11:02 PM, Technical Incursion Countermeasures [SMTP:lists () ticm com] wrote:After being frustrated with the need to do logfile processing onsite I've decided to look at making a generic log analyser. it'll also give me the benefit of being able to do some serious number crunching :}... What I'm looking for is the raw logfile formats for the various firewalls. If anyone knows them - or knows where to look for them I'd be grateful. TIA, Bret Technical Incursion Countermeasures consulting () TICM COM http://www.ticm.com/ ph: (+61)(041) 4411 149(UTC+8 hrs) fax: (+61)(08) 9454 6042 The Insider - a e'zine on Computer security - August Edition out http://www.ticm.com/info/insider/index.html
Current thread:
- Log File Formats... Technical Incursion Countermeasures (Aug 23)
- Re: Log File Formats... Joseph S. D. Yao (Aug 25)
- Re: Log File Formats... Hubert Weikert (Aug 25)
- <Possible follow-ups>
- RE: Log File Formats... Moser, Stefan (Aug 24)
- Re: Log File Formats... Laris Benkis (Aug 27)
- RE: Log File Formats... Euan (Aug 25)