topic Re: Check contents of compressed tar archive and run fw log or fwm log in API / CLI Discussion

Check contents of compressed tar archive and run fw log or fwm log

jond3rd — Mon, 17 Jun 2024 01:15:26 GMT

Hi,

Not sure if this is even possible but I'd like to gather experts opinion on this.

We have an archive of logs in tar.gz format and I'm wondering if it's possible to run 'fw log' or 'fwm logexport' on all the log files (*.log) without extracting the archive itself.

I have tried the following but for some reason, these only works on audit logs (.adtlogs)

zcat oldfwlog.tar.gz | xargs fw log -n -p
tar zxvf oldfwlog.tar.gz YYYY-MM-DD_XXXX.log --to-command='fw log -n -p $TAR_FILENAME'

First one only produce output from audit logs, the second one produce an error "Failed to open file '/opt/CPmds-R81.10/log/YYY-MM-DD_XXXX.log': No such file or directory" but the same command works if I use the audit log file as one of the parameters for tar

tar zxvf oldfwlog.tar.gz YYYY-MM-DD_XXXX.adtlog --to-command='fw log -n -p $TAR_FILENAME'.

It has the same behavior if I use 'fwm logexport -n -p -i'. It works perfectly for audit logs but nor for firewall logs.

seeing that command works for audit logs, I was hoping there's a switch or option I can use to perform the same on *.log.

Any input will be highly appreciated

-jon-

Re: Check contents of compressed tar archive and run fw log or fwm log

PhoneBoy — Mon, 17 Jun 2024 23:33:42 GMT

What about CPLogFilePrint?
See: https://support.checkpoint.com/results/sk/sk153972

Re: Check contents of compressed tar archive and run fw log or fwm log

jond3rd — Tue, 18 Jun 2024 01:22:20 GMT

Hi PhoneBoy,

Thanks for the response, really appreciate it.

That is an interesting tool, but unfortunately it doesn't work with what I want to accomplish. It gives an error "failed to open file YYYY-MM-DD_XXXX.log"

It seems that all the commands I've tried to process firewall logs needs all the relevant files to be extracted first before I can access the contents.

It appears that YYYY-MM-DD_XXXX.log needs the following files as well

YYYY-MM-DD_XXXX.logptr

YYYY-MM-DD_XXXX.loginitialptr

For now, I am extracting the relevant log files just to accomplish the task that was given to me.

Re: Check contents of compressed tar archive and run fw log or fwm log

PhoneBoy — Tue, 18 Jun 2024 20:10:45 GMT

Sounds like expected behavior as I know those files are needed to read the contents of the log correctly.

Re: Check contents of compressed tar archive and run fw log or fwm log

jond3rd — Tue, 18 Jun 2024 22:30:37 GMT

Looks to be that way, it works on audit logs probably because it's not dependent on any other file.

Thanks for the response PhoneBoy, as always, we appreciate your help and support on the community.