Re: Time filtering fw1-loggrabber

okatsladz454

Good afternoon.

The task is to create a time filter for collecting logs from a certain date (14 days before the collection is initiated) in the LEA log collection system.

Please tell me which filtering parameters and how to change them in fw1-loggrabber.conf in order to implement this mechanism?

Examples from fw-loggrabber.conf file (is there any chance of getting a complete list of possible filters) :

# FW1_FILTER_RULE=<rule>
#FW1_FILTER_RULE="action=drop"

# AUDIT_FILTER_RULE=<rule>
#AUDIT_FILTER_RULE="action=accept"

PS: please do not suggest switching to LogExporter, We can not implement it.

okatsladz454

https://github.com/certego/fw1-loggrabber/blob/master/fw1-loggrabber.conf

loggrabber conf Example, which i want to use to solve this task

kamilazat

Which version are you currently on on Check Point?

PhoneBoy

fw1-loggrabber was not produced by Check Point and the underlying mechanism by this tool (LEA) has been deprecated.
From what I can remember, LEA only streams current logs, not past ones.

Amir_Senn

Hi @okatsladz454 ,

I'm not familiar with the loggrabber but I would like to suggest 2 other methods that might prove useful which are not Log Exporter.

a. Using MGMT API "show logs" - using API for log query. You can browse uses here: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-logs~v2%20

b. Using export logs to CSV option in Smartview webapp (see attached)

Hope one of them can help you.

Kind regards, Amir Senn

Are you a member of CheckMates?

Time filtering fw1-loggrabber