Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Hugo_vd_Kooij
Advisor
Jump to solution

Eventia Log Parsing & R80.20 (M1)

I noticed that R80.20 is not listed in sk55020 and my Linux firewall log entries are not automatically parsed so I guess I have to write up a parser for this unless someone has allready done so.

With R80.10 I got a notice that syslog is not working well and I never saw the log entries appear. Now I have them so I would like to see if I can parse them so I have another "gateway" added to my logs.

The actual source in this case is a ASUS router which uses the standard Linux firewalling capabilities.

Edit: Working parser (referred to below) attached to this post.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
1 Solution

Accepted Solutions
Hugo_vd_Kooij
Advisor

Attached are the parser files I currently use.

The will propably work on most iptables based systems like ASUS WRT and others.

I will assume you will read the Check Point documentation to learn how to install them in your SmartCenter or Log host.

It worked for me but it may destroy your system. So use with caution.

I changed the output so it will be added as another Firewall:

I just fixed them so IPv4 and IPv6 traffic is logged. it should work on ICMP, UDP and TCP traffic.

It contains both the parser and a dictionary file.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>

View solution in original post

0 Kudos
8 Replies
Hugo_vd_Kooij
Advisor

Sample LOG entry.

Slightly redacted to reduce the impact on this particular network.

Time: 2018-08-13T10:36:45Z
Id: 0a000001-3c44-2523-5b71-5f3d0be20000
Sequencenum: 1
Default Device Message:<4>Aug 13 12:36:45 kernel: DROP IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=196.219.95.28 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=25477 DF PROTO=TCP SPT=62449 DPT=445 SEQ=988474021 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405980103030801010402)
Facility: kernel messages
Syslog Severity: Warning
Syslog Date: Aug 13 12:36:45
Type: Log
Blade: Syslog
Origin: XXXXXXXXXXXXX
Product Family: Network
Marker: @A@@B@1534111200@C@101785
Log Server Origin: 10.0.0.1
Orig Log Server Ip: 10.0.0.1
Lastupdatetime: 1534156605000
Lastupdateseqnum: 1
Severity: Informational
Rounded Sent Bytes: 0
Confidence Level: N/A
Rounded Bytes: 0
Stored: true
Rounded Received Bytes:0
Description:

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
Advisor

BTW, How can I display Default Device Message in the SmartLog as field in the colums?

It's not in the list of available columns. And I tried every reasonable alternative name for colums that might match but so far I am out of luck.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
Advisor

I have given it a small test. The first results are ... discouraging. After adding the parser files I can no longer login with SmartConsole. Doing a rollback didn't fix this either. So not sure what went haywire at the moment.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
Advisor

A second attempt yielded better results. Must be some odd timing issue.

Now my log looks like:

I still have those odd other messages I need to parse away.  Maybe find a way to get the original content into the description field. And perhaps make sure those WRT lines are seen as Firewall logs 😉

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
Advisor

Oops. Enabling the ALLOW in the logs showed I have not yet anticipated the IPv6 traffic rules.

So I need to some more troubleshooting.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
Advisor

Attached are the parser files I currently use.

The will propably work on most iptables based systems like ASUS WRT and others.

I will assume you will read the Check Point documentation to learn how to install them in your SmartCenter or Log host.

It worked for me but it may destroy your system. So use with caution.

I changed the output so it will be added as another Firewall:

I just fixed them so IPv4 and IPv6 traffic is logged. it should work on ICMP, UDP and TCP traffic.

It contains both the parser and a dictionary file.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
PhoneBoy
Admin
Admin

The attachment to your "correct answer" doesn't show right below the answer marked correct.

As a result, I am attaching your attachment to the root post.

Thank you for sharing and figuring this out Smiley Happy

0 Kudos
Hugo_vd_Kooij
Advisor

I am currently testing to see it I can import EMAIL log events from a Barracuda Email Security Gateway.

But it looks like a lot of work still needs to be done.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events