This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
msa2003
Contributor
‎2023-08-28 06:10 PM
Jump to solution

Manual log file load and export

Hello everyone,

I need to export the results of a query related to a specific (access) log file from last year (2022).

When I open this file in Check Point Manager, I am able to perform the query and view the results. However, I am not able to export them to .csv format since this functionality has been migrated to the web version of SmartView.

Nevertheless, when I try to use the web version of SmartView, I cannot find any possible location to manually upload this file and then proceed to perform the query and export to .csv.

Could someone kindly provide any ideas on how to achieve this without having to submit this file for reindexing proccess?

I appreciate your attention and support.

Thank you.

0 Kudos
1 Solution

Accepted Solutions
Lloyd_Braun
Advisor
‎2023-08-29 02:00 PM
In response to msa2003
Jump to solution

You should be able to do it from the command line.  fwm logexport -i <input file> -o <output file> -- don't forget to get a -n switch in there somewhere to skip the reverse lookups.  More detail here: https://support.checkpoint.com/results/sk/sk118519

 

 

 

 

View solution in original post

(1)
17 Replies
the_rock
Legend
Legend
‎2023-08-28 06:15 PM
Jump to solution

What is the file extension?

Andy

0 Kudos
msa2003
Contributor
‎2023-08-28 06:21 PM
In response to the_rock
Jump to solution

I have transfered the specific set of a specific log to the /opt/CPsuite-R81.20/fw1/log directory (please see below):

-rw-r--r-- 1 admin root 2097153968 Aug 28 14:08 2022-03-25_093617_349.log
-rw-r--r-- 1 admin root 161 Aug 28 14:08 2022-03-25_093617_349.log_stats
-rw-r--r-- 1 admin root 80 Aug 28 14:08 2022-03-25_093617_349.logaccount_ptr
-rw-r--r-- 1 admin root 25628328 Aug 28 14:08 2022-03-25_093617_349.loginitial_ptr
-rw-r--r-- 1 admin root 60092456 Aug 28 14:08 2022-03-25_093617_349.logptr

Then I can open (in SmartConsole client Version) the file "2022-03-25_093617_349.log" and I can query it... But I am not able to export the query results...

And I am not able to open it in the web version, because there´s no 'open' menu in that...

0 Kudos
the_rock
Legend
Legend
‎2023-08-28 06:22 PM
In response to msa2003
Jump to solution

Happy to test it in my lab if you are allowed to send the file.

0 Kudos
msa2003
Contributor
‎2023-08-28 06:28 PM
In response to the_rock
Jump to solution

Unfortunately, I am not. 

Anyway, the main question is: Is there a way to manually import/load an old log file using the web version of SmartView?

(Thanks anyway)


0 Kudos
the_rock
Legend
Legend
‎2023-08-28 06:30 PM
In response to msa2003
Jump to solution

To import, no. But, as I mentioned in my last post, you can try use date range option to find those logs and then export them.

Andy

0 Kudos
msa2003
Contributor
‎2023-08-28 06:33 PM
In response to the_rock
Jump to solution

This date range option doesn´t seem to work for this or any other older file that hasn´t been (re)indexed.... 

0 Kudos
the_rock
Legend
Legend
‎2023-08-28 06:40 PM
In response to msa2003
Jump to solution

Understood. Sorry mate, I got nothing else then. Maybe TAC can give you an official statement, but Im 99.99% sure you cannot import log file into smartview.

Andy

0 Kudos
msa2003
Contributor
‎2023-08-28 06:43 PM
In response to the_rock
Jump to solution

No problem... Anyway, I appreciate the support and attention! I´ll try them.

0 Kudos
the_rock
Legend
Legend
‎2023-08-28 06:44 PM
In response to msa2003
Jump to solution

No worries. Maybe someone else here will know...there are way smarter people on here than me, so lets see if anyone comes through : - )

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-08-28 06:27 PM
In response to msa2003
Jump to solution

Actually, I have a suggestion. How about if you click in smartview where it says last 24 hours, then search by date range and sere if you can find those logs and then export into csv format?

Andy

0 Kudos
msa2003
Contributor
‎2023-08-28 06:30 PM
In response to the_rock
Jump to solution

Yes... This is working fine... I can query and export the recent (and already indexed) files. But not the old ones.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-29 06:56 AM
Jump to solution

SmartView does not allow you to upload log files.
The only way I know of to access a specific log file is to have log indexing disabled.
SmartView will allow you to access log files in $FWDIR/log in this situation.
Not sure you should disable this on your production SMS but you could build a lab one in a VM where this is disabled (in the management object).

0 Kudos
msa2003
Contributor
‎2023-08-29 01:41 PM
In response to PhoneBoy
Jump to solution

Thank you for your response!

I believe that due to language barriers, I probably couldn't make myself clear in describing my question. I apologize for that.

In fact, I'm using a lab SMS.

I then transferred an old log file to the $FWDIR/log directory.

From there, when I enter SmartConsole and connect to this SMS, I can open the log file (see attached screenshot) and perform some queries from this newly (old) loaded file. 
Print 1.jpg

However, I'm unable to perform the export to .CSV, as this functionality has been migrated to the web version of SmartView.

On the other hand, when I access the web version of SmartView on this SMS , I can't use the "File - Open Log" menu because it simply does not exist. So I am not able to open this old log file. Because of this, I can't perform the necessary queries, and consequently, I can't export the .csv file (simply because I couldn't even open the log file in the web version of SmartView).

The great paradox is:
a) When I use the combination of SmartConsole client + SMS, I can open an old log, but I can't perform the export.

but...

b) When I use the combination of SmartView web + SMS, I might be able to export to .csv, but I can't do it because I simply can't open an old log file.

The point is: I didn´t want to reindex... I just wanted to open an old log file, query it and export the query results.

Sorry for the long text/explanation.

0 Kudos
Lloyd_Braun
Advisor
‎2023-08-29 02:00 PM
In response to msa2003
Jump to solution

You should be able to do it from the command line.  fwm logexport -i <input file> -o <output file> -- don't forget to get a -n switch in there somewhere to skip the reverse lookups.  More detail here: https://support.checkpoint.com/results/sk/sk118519

 

 

 

 

(1)
the_rock
Legend
Legend
‎2023-08-29 02:58 PM
In response to Lloyd_Braun
Jump to solution

Good call @Lloyd_Braun , never thought of that 👍

Andy

0 Kudos
msa2003
Contributor
‎2023-08-30 04:51 AM
In response to Lloyd_Braun
Jump to solution

Good morning, everyone.

Thank you for the information! I ran the test here with the 'logexport' command and it worked. It's worth mentioning a few 'features': There's no way to previously apply a filter, so you end up generating a rather large file. As a result, converting a 2 GB file takes a quite reasonable amount of time... and, lastly, dealing with a 2.XX GB .txt file is not a straightforward task with regular tools. But... it works.

I appreciate everyone's support!

0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-29 02:36 PM
In response to msa2003
Jump to solution

Thanks for clarifying.
I think your best bet is the fwm logexport command, as mentioned by @Lloyd_Braun 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events