cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Eventia Log Parsing & R80.20 (M1)

Jump to solution

I noticed that R80.20 is not listed in sk55020 and my Linux firewall log entries are not automatically parsed so I guess I have to write up a parser for this unless someone has allready done so.

With R80.10 I got a notice that syslog is not working well and I never saw the log entries appear. Now I have them so I would like to see if I can parse them so I have another "gateway" added to my logs.

The actual source in this case is a ASUS router which uses the standard Linux firewalling capabilities.

Edit: Working parser (referred to below) attached to this post.

Tags (4)
1 Solution

Accepted Solutions

Re: Eventia Log Parsing & R80.20 (M1)

Jump to solution

Attached are the parser files I currently use.

The will propably work on most iptables based systems like ASUS WRT and others.

I will assume you will read the Check Point documentation to learn how to install them in your SmartCenter or Log host.

It worked for me but it may destroy your system. So use with caution.

I changed the output so it will be added as another Firewall:

I just fixed them so IPv4 and IPv6 traffic is logged. it should work on ICMP, UDP and TCP traffic.

It contains both the parser and a dictionary file.

0 Kudos
8 Replies

Re: Eventia Log Parsing & R80.20 (M1)

Jump to solution

Sample LOG entry.

Slightly redacted to reduce the impact on this particular network.

Time: 2018-08-13T10:36:45Z
Id: 0a000001-3c44-2523-5b71-5f3d0be20000
Sequencenum: 1
Default Device Message:<4>Aug 13 12:36:45 kernel: DROP IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=196.219.95.28 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=25477 DF PROTO=TCP SPT=62449 DPT=445 SEQ=988474021 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405980103030801010402)
Facility: kernel messages
Syslog Severity: Warning
Syslog Date: Aug 13 12:36:45
Type: Log
Blade: Syslog
Origin: XXXXXXXXXXXXX
Product Family: Network
Marker: @A@@B@1534111200@C@101785
Log Server Origin: 10.0.0.1
Orig Log Server Ip: 10.0.0.1
Lastupdatetime: 1534156605000
Lastupdateseqnum: 1
Severity: Informational
Rounded Sent Bytes: 0
Confidence Level: N/A
Rounded Bytes: 0
Stored: true
Rounded Received Bytes:0
Description:

0 Kudos

Re: Eventia Log Parsing & R80.20 (M1)

Jump to solution

BTW, How can I display Default Device Message in the SmartLog as field in the colums?

It's not in the list of available columns. And I tried every reasonable alternative name for colums that might match but so far I am out of luck.

0 Kudos

Re: Eventia Log Parsing & R80.20 (M1)

Jump to solution

I have given it a small test. The first results are ... discouraging. After adding the parser files I can no longer login with SmartConsole. Doing a rollback didn't fix this either. So not sure what went haywire at the moment.

0 Kudos

Re: Eventia Log Parsing & R80.20 (M1)

Jump to solution

A second attempt yielded better results. Must be some odd timing issue.

Now my log looks like:

I still have those odd other messages I need to parse away.  Maybe find a way to get the original content into the description field. And perhaps make sure those WRT lines are seen as Firewall logs 😉

0 Kudos

Re: Eventia Log Parsing & R80.20 (M1)

Jump to solution

Oops. Enabling the ALLOW in the logs showed I have not yet anticipated the IPv6 traffic rules.

So I need to some more troubleshooting.

0 Kudos

Re: Eventia Log Parsing & R80.20 (M1)

Jump to solution

Attached are the parser files I currently use.

The will propably work on most iptables based systems like ASUS WRT and others.

I will assume you will read the Check Point documentation to learn how to install them in your SmartCenter or Log host.

It worked for me but it may destroy your system. So use with caution.

I changed the output so it will be added as another Firewall:

I just fixed them so IPv4 and IPv6 traffic is logged. it should work on ICMP, UDP and TCP traffic.

It contains both the parser and a dictionary file.

0 Kudos
Admin
Admin

Re: Eventia Log Parsing & R80.20 (M1)

Jump to solution

The attachment to your "correct answer" doesn't show right below the answer marked correct.

As a result, I am attaching your attachment to the root post.

Thank you for sharing and figuring this out Smiley Happy

0 Kudos

Re: Eventia Log Parsing & R80.20 (M1)

Jump to solution

I am currently testing to see it I can import EMAIL log events from a Barracuda Email Security Gateway.

But it looks like a lot of work still needs to be done.

0 Kudos