This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-05-18 08:57 AM

Processing Logs Exported via 'fwm logexport -s'

I recently needed to export and process raw log data outside of SmartLog. Thought I would share the most interesting bit in case anybody else needs to do this.

By default, 'fwm logexport' separates fields in the output with semicolons. Unfortunately, semicolons can occur within fields. Lots of simpler tools like 'cut' and 'awk' don't deal with quote delimited fields, which can hurt the ability to extract specific columns from the data.

To deal with this issue, 'fwm logexport' has the -s switch, which causes it to use the non-printing character with hex code 0xFF to separate fields. This gets a little weird to deal with, since how do you type a non-printing character to tell your tools to use it as the field separator?

printf to the rescue! It has the ability to emit a character from its octal code:

awk -v FS=$(printf "\377") '{print $2,$3}' <some file>.ffsv

Hex 0xFF corresponds to octal 377. That will print columns 2 and 3 (usually the date and time) from a log exported via 'fwm logexport -s'.

 

 

ASCII has a few non-printing characters specifically for separating stuff: the file separator (0x1C, octal 34), the group separator (0x1D, octal 35), the record separator (0x1E, octal 36), and the unit separator (0x1F, octal 37).

4 Replies
the_rock
MVP Platinum
MVP Platinum
‎2023-05-18 09:21 AM

Thanks for sharing @Bob_Zimmerman ...super interesting!

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-18 10:40 AM

As long as I've been doing this, I never knew about the -s flag in fwm logexport.
Very clever trick!

the_rock
MVP Platinum
MVP Platinum
‎2023-05-18 10:45 AM
In response to PhoneBoy

I seen it before, but never used it 🙂

 

[Expert@CP-MGMT:0]# fwm logexport -h

Usage:
fwm logexport [-d delimiter |-s] [-t table_delimiter] [-i filename] [-o filename] [-f|-e] [-x start_pos] [-y end_pos] [-z] [-n] [-p] [-a] [-u unification_scheme_file] [-m (initial|semi|raw)]
Where:
-d - Set the output delimiter. Default is ';'.
-s - Set the delimiter to be ASCII character #255.
-t - Set the output delimiter inside table field (table field would look like: (ROWx:COL0,ROWx:COL1,ROWx:COL2) etc. Default is ','.
-i - Input log file name. Default is the active log file, fw.log.
-o - Output file name. Default is printing to the screen.
-f - Only in case of active log file - Upon reaching end of file, wait for new records and export them as well.
-e - Same as -f flag, only start at end of file.
-x - Start exporting at the specified position.
-y - End exporting at the specified position.
-z - Continue exporting the next records, in case of an error. Default is to stop exporting.
-n - No IP resolving. Default is to resolve all IPs.
-p - No port resolving. Default is to resolve all ports.
-a - Export account records only. Default is export all records.
-z - Exit in case of wrong field expected value.
-u - Unification scheme file name. Default is log_unification_scheme.C.
-m - Unification mode: initial-order, semi-unified, or raw. Default is 'initial'.

[Expert@CP-MGMT:0]#

Best,
Andy
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-05-18 11:08 AM
In response to PhoneBoy

I've been using the flag for a while, but I keep forgetting and rediscovering how to carve up the data once it's exported. 0xFF works with awk, but breaks some other tools. You can use the other non-printing separator characters with the -d switch. They have many of the same issues, but other tools like cut and tr handle them better. For the unit separator (meant to separate fields in tabular records), you have to do something like this:

[Expert@DallasSA]# fwm logexport -d "$(printf '\37')" -z -n -p -i fw.log >exported.ussv
Starting... There are 757 log records in the file

[Expert@DallasSA]# head -n 1 exported.ussv | cut -d "$(printf '\37')" -f 2
date

[Expert@DallasSA]# head -n 1 exported.ussv | tr "$(printf '\37')" ":" 
num:date:time:orig:type:action:alert:i/f_name:i/f_dir:product:LogId:ContextNum:origin_id:ContentVersion:hll_key:SequenceNum:log_sys_message:ProductFamily:description:status:version:comment:update_service:reason:Severity:failure_impact:TCP packet out of state:tcp_flags:src:dst:proto:service:s_port
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events