This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jond3rd
Explorer
a week ago

Check contents of compressed tar archive and run fw log or fwm log

Hi,

 

Not sure if this is even possible but I'd like to gather experts opinion on this.

 

We have an archive of logs in tar.gz format and I'm wondering if it's possible to run 'fw log' or 'fwm logexport' on all the log files (*.log) without extracting the archive itself.

 

I have tried the following but for some reason, these only works on audit logs (.adtlogs)

  1. zcat oldfwlog.tar.gz | xargs fw log -n -p
  2. tar zxvf oldfwlog.tar.gz YYYY-MM-DD_XXXX.log --to-command='fw log -n -p $TAR_FILENAME'

 

First one only produce output from audit logs, the second one produce an error  "Failed to open file '/opt/CPmds-R81.10/log/YYY-MM-DD_XXXX.log': No such file or directory" but the same command works if I use the audit log file as one of the parameters for tar

tar zxvf oldfwlog.tar.gz YYYY-MM-DD_XXXX.adtlog --to-command='fw log -n -p $TAR_FILENAME'.

 

It has the same behavior if I use 'fwm logexport -n -p -i'. It works perfectly for audit logs but nor for firewall logs.

 

seeing that command works for audit logs, I was hoping there's a switch or option I can use to perform the same on *.log.

Any input will be highly appreciated

 

-jon-

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
a week ago

What about CPLogFilePrint?
See: https://support.checkpoint.com/results/sk/sk153972 

0 Kudos
jond3rd
Explorer
a week ago
In response to PhoneBoy

Hi PhoneBoy,

 

Thanks for the response, really appreciate it.

That is an interesting tool, but unfortunately it doesn't work with what I want to accomplish. It gives an error "failed to open file YYYY-MM-DD_XXXX.log"

 

It seems that all the commands I've tried to process firewall logs needs all the relevant files to be extracted first before I can access the contents.

 

It appears that YYYY-MM-DD_XXXX.log needs the following files as well

YYYY-MM-DD_XXXX.logptr

YYYY-MM-DD_XXXX.loginitialptr

 

For now, I am extracting the relevant log files just to accomplish the task that was given to me.

0 Kudos
PhoneBoy
Admin
Admin
a week ago
In response to jond3rd

Sounds like expected behavior as I know those files are needed to read the contents of the log correctly.

0 Kudos
jond3rd
Explorer
a week ago
In response to PhoneBoy

Looks to be that way, it works on audit logs probably because it's not dependent on any other file.

Thanks for the response PhoneBoy, as always, we appreciate your help and support on the community.

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events