Firewall Wizards mailing list archives

Re: Log File Formats...

From: Laris Benkis <laris () ottawa com>
Date: Thu, 27 Aug 1998 09:03:50 -0400

You want to be careful with that one, some of the exported log records
do not follow the specified field layout.  I no longer have any examples
of the odd records to show you, but once you start writing scripts to do
accounting you will probably run into this problem.  I never did figure
out a simple algorithmic way of determining when I was dealing with a
deviant record.  Apparently there has been discussion about this problem
lately on the CheckPoint mailing list, you may want to check there.

Laris

Moser, Stefan wrote:


Bret,

FireWall-1 stores its log files actually in a binary format (duh!). After
you
export them into ASCII format, the first line will 'document' the format for
individual lines:

num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;
s_port;len;rule;xlatesrc;xlatedst;xlatesport;xlatedport;imp-type;icmp-code;r
pc_prog;sys_msgs
0;24Aug98;
3:05:01;lns23w-0102_159.156.208.195;control;ctl;;daemon;inbound;;;;;;;;;;;;;
;;started sending log to localhost
1;24Aug98;
4:04:01;fwffm1.itffm.ska.com;log;drop;;fddi0;inbound;udp;mgmt-dummy;rtr-dumm
y1;snmp;33123;69;62;;;;;;;;
.........

There's also an API called LEA (log extraction API) to extract the logs
directly. It's part of Checkpoint's OPSEC
program, but other than that I don't know much about it.

Hope this helps

-Stefan

On Sunday, August 23, 1998 11:02 PM, Technical Incursion Countermeasures
[SMTP:lists () ticm com] wrote:

After being frustrated with the need to do logfile processing onsite I've
decided to look at making a generic log analyser. it'll also give me the
benefit of being able to do some serious number crunching  :}...

What I'm looking for is the raw logfile formats for the various firewalls.
If anyone knows them - or knows where to look for them I'd be grateful.

TIA,

Bret
Technical Incursion Countermeasures
consulting () TICM COM                      http://www.ticm.com/
ph: (+61)(041) 4411 149(UTC+8 hrs)      fax: (+61)(08) 9454 6042

The Insider - a e'zine on Computer security - August Edition out
http://www.ticm.com/info/insider/index.html

Current thread:

Log File Formats... Technical Incursion Countermeasures (Aug 23)
- Re: Log File Formats... Joseph S. D. Yao (Aug 25)
- Re: Log File Formats... Hubert Weikert (Aug 25)
- <Possible follow-ups>
- RE: Log File Formats... Moser, Stefan (Aug 24)
  - Re: Log File Formats... Laris Benkis (Aug 27)
- RE: Log File Formats... Euan (Aug 25)