Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Explorer

How to manually export logs in r77.30

I need to manually export logs in r77.30 distribution setup. Due to licensing issues, we are unable to download hotfixes and syslog exporter feature from checkpoint. Need a way to manually dump the logs for further analysis

0 Kudos
Reply
3 Replies
Admin
Admin

R77.30 is End of Support anyway, it's better to upgrade to a more recent release.
You should be able to do a fresh install of R80.40 using the built-in eval license, import the logs from your existing management station, and use SmartEvent to look at the data.
Or you can configure Log Exporter (built into this release) and export to a SIEM. 

If you don't want to do any of that, you can run the cli command "fw log" over your existing log files, which will output them into an ASCII format.
It may not be terribly useful in that format. 

0 Kudos
Reply
Advisor

So there are two options i know of. fw log $LOGFILE | gzip -c  > /some/path.txt.gz

This will be .. very slow.. if you want something more useful look up the following switches to disable ip object looking up and service object look up. Double check those switches. Been a while since i've done this.

-n -p

You will only get raw IPs in the logs but it will export 10 times faster. Maybe that is not true but it will be very much faster. Then you can index the raw text files however you see fit. For extra points, dump the obejcts database as a xml file. Then you can create a dictionary to map IPs to checkpoint hosts objects / gateways if you wish.

If you only want allowed traffic then i think you can add -c accept (or something like that). 

fw log --help

should show all options.

There is one other option to always print the full time stamp that might be useful.

0 Kudos
Reply
Employee+
Employee+

All of the logs are located at $FWDIR/log/ and you can take all the logs files from there. Notice that every log file is dated at it's closing time and each day has a few log files.

If you're working at non-index mode you'll be able to open them when you copy them to another CP log server. If you're working in index mode you'll need to index them again.

Upgrade with CPUSE will retain the logs.

Kind regards, Amir Senn
0 Kudos
Reply