This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2018-08-13 02:32 AM
Jump to solution

Eventia Log Parsing & R80.20 (M1)

I noticed that R80.20 is not listed in sk55020 and my Linux firewall log entries are not automatically parsed so I guess I have to write up a parser for this unless someone has allready done so.

With R80.10 I got a notice that syslog is not working well and I never saw the log entries appear. Now I have them so I would like to see if I can parse them so I have another "gateway" added to my logs.

The actual source in this case is a ASUS router which uses the standard Linux firewalling capabilities.

Edit: Working parser (referred to below) attached to this post.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
syslog_iptables.zip
1 Solution

Accepted Solutions
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2018-08-14 02:02 AM
Jump to solution

Attached are the parser files I currently use.

The will propably work on most iptables based systems like ASUS WRT and others.

I will assume you will read the Check Point documentation to learn how to install them in your SmartCenter or Log host.

It worked for me but it may destroy your system. So use with caution.

I changed the output so it will be added as another Firewall:

I just fixed them so IPv4 and IPv6 traffic is logged. it should work on ICMP, UDP and TCP traffic.

It contains both the parser and a dictionary file.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>

View solution in original post

syslog_iptables.zip
0 Kudos
8 Replies
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2018-08-13 03:41 AM
Jump to solution

Sample LOG entry.

Slightly redacted to reduce the impact on this particular network.

Time: 2018-08-13T10:36:45Z
Id: 0a000001-3c44-2523-5b71-5f3d0be20000
Sequencenum: 1
Default Device Message:<4>Aug 13 12:36:45 kernel: DROP IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=196.219.95.28 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=25477 DF PROTO=TCP SPT=62449 DPT=445 SEQ=988474021 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405980103030801010402)
Facility: kernel messages
Syslog Severity: Warning
Syslog Date: Aug 13 12:36:45
Type: Log
Blade: Syslog
Origin: XXXXXXXXXXXXX
Product Family: Network
Marker: @A@@B@1534111200@C@101785
Log Server Origin: 10.0.0.1
Orig Log Server Ip: 10.0.0.1
Lastupdatetime: 1534156605000
Lastupdateseqnum: 1
Severity: Informational
Rounded Sent Bytes: 0
Confidence Level: N/A
Rounded Bytes: 0
Stored: true
Rounded Received Bytes:0
Description:

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2018-08-13 03:53 AM
In response to Hugo_vd_Kooij
Jump to solution

BTW, How can I display Default Device Message in the SmartLog as field in the colums?

It's not in the list of available columns. And I tried every reasonable alternative name for colums that might match but so far I am out of luck.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2018-08-13 06:08 AM
Jump to solution

I have given it a small test. The first results are ... discouraging. After adding the parser files I can no longer login with SmartConsole. Doing a rollback didn't fix this either. So not sure what went haywire at the moment.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2018-08-13 06:20 AM
Jump to solution

A second attempt yielded better results. Must be some odd timing issue.

Now my log looks like:

I still have those odd other messages I need to parse away.  Maybe find a way to get the original content into the description field. And perhaps make sure those WRT lines are seen as Firewall logs 😉

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2018-08-15 12:59 AM
In response to Hugo_vd_Kooij
Jump to solution

Oops. Enabling the ALLOW in the logs showed I have not yet anticipated the IPv6 traffic rules.

So I need to some more troubleshooting.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2018-08-14 02:02 AM
Jump to solution

Attached are the parser files I currently use.

The will propably work on most iptables based systems like ASUS WRT and others.

I will assume you will read the Check Point documentation to learn how to install them in your SmartCenter or Log host.

It worked for me but it may destroy your system. So use with caution.

I changed the output so it will be added as another Firewall:

I just fixed them so IPv4 and IPv6 traffic is logged. it should work on ICMP, UDP and TCP traffic.

It contains both the parser and a dictionary file.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
syslog_iptables.zip
0 Kudos
PhoneBoy
Admin
Admin
‎2018-08-16 07:29 PM
In response to Hugo_vd_Kooij
Jump to solution

The attachment to your "correct answer" doesn't show right below the answer marked correct.

As a result, I am attaching your attachment to the root post.

Thank you for sharing and figuring this out Smiley Happy

0 Kudos
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2018-08-14 08:38 AM
Jump to solution

I am currently testing to see it I can import EMAIL log events from a Barracuda Email Security Gateway.

But it looks like a lot of work still needs to be done.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events