cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

"more fw.log" does not show clear data. How do I solve this?

"more fw.log" does not show clear data. How do I solve this?

0 Kudos
22 Replies
Danny
Pearl

Re: "more fw.log" does not show clear data. How do I solve this?

$FWDIR/log/fw.log is a binary file. If you really want to view it's contents at the CLI using the more command I recommend using the following syntax:

hexdump -C $FWDIR/log/fw.log | more

Alternatively see Log Exporter Guide or Export logs to CSV or just run fw monitor to see your connections in realtime instead of grepping for a connection within the log.

May I ask why you are not using SmartLog to properly view and filter through your firewalls logs.

0 Kudos

Re: "more fw.log" does not show clear data. How do I solve this?

But the result is the following: (attach) 

It does not allow me to see the fw.log in real time. This if possible or should I see the "messages"?

hexdump -C $FWDIR/log/fw.log | more

0 Kudos

Re: "more fw.log" does not show clear data. How do I solve this?

Hello Danny, in SmartLog... I'm not sure if in smartlog I can do advanced filters in the search tab.

0 Kudos
Vladimir
Pearl

Re: "more fw.log" does not show clear data. How do I solve this?

If this is an ssh session from terminal emulator, such as Putty, start another session with these defaults:

 

And try again.

0 Kudos

Re: "more fw.log" does not show clear data. How do I solve this?

The "putty" options appear to me as such.
The only difference in the "script" of the source does not appear "Western"

But when I run in the folder:
/ var / log / opt / CPsuite-R80 / fw1 / log /

I run: more fw.log still does not appear data. I would like to know how I do to monitor the complete log in real time.

0 Kudos
Admin
Admin

Re: "more fw.log" does not show clear data. How do I solve this?

fw.log is a binary file, which cannot be read with a simple more command. 

You have to use the CLI command fw log to read it. 

0 Kudos
Vladimir
Pearl

Re: "more fw.log" does not show clear data. How do I solve this?

Smiley Happy I've missed that: sometimes eyes see what you expect. In my case it was "fw log | more"

0 Kudos

Re: "more fw.log" does not show clear data. How do I solve this?

more fw.log

In clish mode, expert ... I run more fw.log and I can not monitor in real time.

0 Kudos

Re: "more fw.log" does not show clear data. How do I solve this?

As already mentioned, you are using a wrong command.

Go into expert mode and run "fw log | more"

However, if you are looking to get readable logs in the real time, please consider exporting them into syslog in an external server and analyzing there. Log Exporter - Check Point Log Export 

0 Kudos

Re: "more fw.log" does not show clear data. How do I solve this?

In expter mode:

fw log | more

it does not show anything

😞

0 Kudos
Vladimir
Pearl

Re: "more fw.log" does not show clear data. How do I solve this?

If you are running it on the gateway but the gateway is configured to log to the Management Server, you should run same command on the management server.

0 Kudos

Re: "more fw.log" does not show clear data. How do I solve this?

that's impossible. Where are you running it at?

0 Kudos
Admin
Admin

Re: "more fw.log" does not show clear data. How do I solve this?

Like I said, fw.log is a binary file, which "more" cannot read.

You need to use fw log on the CLI to review this file.

Or better yet, use SmartLog/SmartView.

0 Kudos
Vladimir
Pearl

Re: "more fw.log" does not show clear data. How do I solve this?

You have to run "fw log" from clish. As Dameon has mentioned fw.log is a binary file and you will not get legible output by trying to read it as a text file.

use "fw log --help" to see all available options.

P.S. you do not have to be in "expert" mode to run it.

0 Kudos
Vladimir
Pearl

Re: "more fw.log" does not show clear data. How do I solve this?

This is what you should see on the gateway that is centrally managed:

GW8010> fw log | more
GW8010> expert
Enter expert password:


Warning! All configurations should be done through clish
You are in expert mode now.

[Expert@GW8010:0]# fw log | more
[Expert@GW8010:0]#

and this is what you should see on the management server where logs are being forwarded to:

login as: admin
This system is for authorized use only.
admin@192.168.7.30's password:
Last login: Mon Sep 24 09:22:24 2018 from 192.168.7.148
SMS8010> fw log | more
Date: Sep 24, 2018
0:00:00 5 N/A 1 ctl SMS8010 > daemon LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=SMS8010..bhska4; OriginSicName: cn=cp_mgmt,o=SMS8010..bhska4; HighLevelLogKey: 18446744073709551615; log_sys_message: Log file has been switched to: 2018-09-24_000000.log; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

Date: Sep 23, 2018
23:58:04 5 N/A 11 accept GW8010 < eth2 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=GW8010,O=SMS8010..bhska4; OriginSicName: CN=GW8010,O=SMS8010..bhska4; HighLevelLogKey: 18446744073709551615; inzone: Local; outzone: Internal; service_id: domain-udp; src: GW8010; dst: DC16; proto: udp; user: ; src_user_name: ; src_machine_name: ; src_user_dn: ; snid: ; dst_user_name: ; dst_machine_name: dc16@higherintelligence.com; dst_user_dn: ; UP_match_table: TABLE_START; ROW_START: 0; match_id: 4; layer_uuid: 1d365ba8-9fb0-4279-8f26-3b0842cccb54; layer_name: GW8010-Composite-Demo Network; rule_uid: 3d2f9eb5-f989-4f61-aaf6-c2d336555e0e; rule_name: For Nessus Scans; action: 2; parent_rule: 0; ROW_END: 0; UP_match_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: domain-udp; sport_svc: 49371; ProductFamily: Network;

0 Kudos
Admin
Admin

Re: "more fw.log" does not show clear data. How do I solve this?

fw log can show logs on a gateway if, for some reason, the gateway is unable to reach its management server, or it is configured to log locally.

But generally, that is not the case.

0 Kudos
Vladimir
Pearl

Re: "more fw.log" does not show clear data. How do I solve this?

Yep, but in his case, it looks like he is logging to the SMS.

BTW, is it SMS or CMS now?

0 Kudos
Admin
Admin

Re: "more fw.log" does not show clear data. How do I solve this?

I think we just call it Security Management Smiley Happy

0 Kudos
Vladimir
Pearl

Re: "more fw.log" does not show clear data. How do I solve this?

Yeah, right Smiley Happy ...unless it is in MDS, in which case it is DMS Smiley Happy

0 Kudos

Re: "more fw.log" does not show clear data. How do I solve this?

This is the gateway:

0 Kudos
Vladimir
Pearl

Re: "more fw.log" does not show clear data. How do I solve this?

You are lot logging on the gateway.

Your gateway logging to your management server.

Run the command in clish prompt, not expert mode on your management server and you will see your logs.

0 Kudos
Admin
Admin

Re: "more fw.log" does not show clear data. How do I solve this?

Expected behavior for a gateway.

0 Kudos