Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Charlie_Bueno_R
Contributor

"more fw.log" does not show clear data. How do I solve this?

"more fw.log" does not show clear data. How do I solve this?

0 Kudos
22 Replies
Danny
Champion Champion
Champion

$FWDIR/log/fw.log is a binary file. If you really want to view it's contents at the CLI using the more command I recommend using the following syntax:

hexdump -C $FWDIR/log/fw.log | more

Alternatively see Log Exporter Guide or Export logs to CSV or just run fw monitor to see your connections in realtime instead of grepping for a connection within the log.

May I ask why you are not using SmartLog to properly view and filter through your firewalls logs.

0 Kudos
Charlie_Bueno_R
Contributor

But the result is the following: (attach) 

It does not allow me to see the fw.log in real time. This if possible or should I see the "messages"?

hexdump -C $FWDIR/log/fw.log | more

0 Kudos
Charlie_Bueno_R
Contributor

Hello Danny, in SmartLog... I'm not sure if in smartlog I can do advanced filters in the search tab.

0 Kudos
Vladimir
Champion
Champion

If this is an ssh session from terminal emulator, such as Putty, start another session with these defaults:

 

And try again.

0 Kudos
Charlie_Bueno_R
Contributor

The "putty" options appear to me as such.
The only difference in the "script" of the source does not appear "Western"

But when I run in the folder:
/ var / log / opt / CPsuite-R80 / fw1 / log /

I run: more fw.log still does not appear data. I would like to know how I do to monitor the complete log in real time.

0 Kudos
PhoneBoy
Admin
Admin

fw.log is a binary file, which cannot be read with a simple more command. 

You have to use the CLI command fw log to read it. 

0 Kudos
Vladimir
Champion
Champion

Smiley Happy I've missed that: sometimes eyes see what you expect. In my case it was "fw log | more"

0 Kudos
Charlie_Bueno_R
Contributor

more fw.log

In clish mode, expert ... I run more fw.log and I can not monitor in real time.

0 Kudos
_Val_
Admin
Admin

As already mentioned, you are using a wrong command.

Go into expert mode and run "fw log | more"

However, if you are looking to get readable logs in the real time, please consider exporting them into syslog in an external server and analyzing there. Log Exporter - Check Point Log Export 

0 Kudos
Charlie_Bueno_R
Contributor

In expter mode:

fw log | more

it does not show anything

😞

0 Kudos
Vladimir
Champion
Champion

If you are running it on the gateway but the gateway is configured to log to the Management Server, you should run same command on the management server.

0 Kudos
_Val_
Admin
Admin

that's impossible. Where are you running it at?

0 Kudos
PhoneBoy
Admin
Admin

Like I said, fw.log is a binary file, which "more" cannot read.

You need to use fw log on the CLI to review this file.

Or better yet, use SmartLog/SmartView.

0 Kudos
Vladimir
Champion
Champion

You have to run "fw log" from clish. As Dameon has mentioned fw.log is a binary file and you will not get legible output by trying to read it as a text file.

use "fw log --help" to see all available options.

P.S. you do not have to be in "expert" mode to run it.

0 Kudos
Vladimir
Champion
Champion

This is what you should see on the gateway that is centrally managed:

GW8010> fw log | more
GW8010> expert
Enter expert password:


Warning! All configurations should be done through clish
You are in expert mode now.

[Expert@GW8010:0]# fw log | more
[Expert@GW8010:0]#

and this is what you should see on the management server where logs are being forwarded to:

login as: admin
This system is for authorized use only.
admin@192.168.7.30's password:
Last login: Mon Sep 24 09:22:24 2018 from 192.168.7.148
SMS8010> fw log | more
Date: Sep 24, 2018
0:00:00 5 N/A 1 ctl SMS8010 > daemon LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=SMS8010..bhska4; OriginSicName: cn=cp_mgmt,o=SMS8010..bhska4; HighLevelLogKey: 18446744073709551615; log_sys_message: Log file has been switched to: 2018-09-24_000000.log; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

Date: Sep 23, 2018
23:58:04 5 N/A 11 accept GW8010 < eth2 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=GW8010,O=SMS8010..bhska4; OriginSicName: CN=GW8010,O=SMS8010..bhska4; HighLevelLogKey: 18446744073709551615; inzone: Local; outzone: Internal; service_id: domain-udp; src: GW8010; dst: DC16; proto: udp; user: ; src_user_name: ; src_machine_name: ; src_user_dn: ; snid: ; dst_user_name: ; dst_machine_name: dc16@higherintelligence.com; dst_user_dn: ; UP_match_table: TABLE_START; ROW_START: 0; match_id: 4; layer_uuid: 1d365ba8-9fb0-4279-8f26-3b0842cccb54; layer_name: GW8010-Composite-Demo Network; rule_uid: 3d2f9eb5-f989-4f61-aaf6-c2d336555e0e; rule_name: For Nessus Scans; action: 2; parent_rule: 0; ROW_END: 0; UP_match_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: domain-udp; sport_svc: 49371; ProductFamily: Network;

0 Kudos
PhoneBoy
Admin
Admin

fw log can show logs on a gateway if, for some reason, the gateway is unable to reach its management server, or it is configured to log locally.

But generally, that is not the case.

0 Kudos
Vladimir
Champion
Champion

Yep, but in his case, it looks like he is logging to the SMS.

BTW, is it SMS or CMS now?

0 Kudos
PhoneBoy
Admin
Admin

I think we just call it Security Management Smiley Happy

0 Kudos
Vladimir
Champion
Champion

Yeah, right Smiley Happy ...unless it is in MDS, in which case it is DMS Smiley Happy

0 Kudos
Charlie_Bueno_R
Contributor

This is the gateway:

0 Kudos
Vladimir
Champion
Champion

You are lot logging on the gateway.

Your gateway logging to your management server.

Run the command in clish prompt, not expert mode on your management server and you will see your logs.

0 Kudos
PhoneBoy
Admin
Admin

Expected behavior for a gateway.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events