"more fw.log" does not show clear data. How do I solve this?
$FWDIR/log/fw.log is a binary file. If you really want to view it's contents at the CLI using the more command I recommend using the following syntax:
hexdump -C $FWDIR/log/fw.log | more
Alternatively see Log Exporter Guide or Export logs to CSV or just run fw monitor to see your connections in realtime instead of grepping for a connection within the log.
May I ask why you are not using SmartLog to properly view and filter through your firewalls logs.
But the result is the following: (attach)
It does not allow me to see the fw.log in real time. This if possible or should I see the "messages"?
Hello Danny, in SmartLog... I'm not sure if in smartlog I can do advanced filters in the search tab.
If this is an ssh session from terminal emulator, such as Putty, start another session with these defaults:
And try again.
The "putty" options appear to me as such.The only difference in the "script" of the source does not appear "Western"
But when I run in the folder:/ var / log / opt / CPsuite-R80 / fw1 / log /
I run: more fw.log still does not appear data. I would like to know how I do to monitor the complete log in real time.
fw.log is a binary file, which cannot be read with a simple more command.
You have to use the CLI command fw log to read it.
I've missed that: sometimes eyes see what you expect. In my case it was "fw log | more"
In clish mode, expert ... I run more fw.log and I can not monitor in real time.
As already mentioned, you are using a wrong command.
Go into expert mode and run "fw log | more"
However, if you are looking to get readable logs in the real time, please consider exporting them into syslog in an external server and analyzing there. Log Exporter - Check Point Log Export
In expter mode:
it does not show anything
If you are running it on the gateway but the gateway is configured to log to the Management Server, you should run same command on the management server.
that's impossible. Where are you running it at?
Like I said, fw.log is a binary file, which "more" cannot read.
You need to use fw log on the CLI to review this file.
Or better yet, use SmartLog/SmartView.
You have to run "fw log" from clish. As Dameon has mentioned fw.log is a binary file and you will not get legible output by trying to read it as a text file.
use "fw log --help" to see all available options.
P.S. you do not have to be in "expert" mode to run it.
This is what you should see on the gateway that is centrally managed:
GW8010> fw log | moreGW8010> expertEnter expert password:
Warning! All configurations should be done through clishYou are in expert mode now.
[Expert@GW8010:0]# fw log | more[Expert@GW8010:0]#
and this is what you should see on the management server where logs are being forwarded to:
login as: adminThis system is for authorized use email@example.com's password:Last login: Mon Sep 24 09:22:24 2018 from 192.168.7.148SMS8010> fw log | more Date: Sep 24, 2018 0:00:00 5 N/A 1 ctl SMS8010 > daemon LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=SMS8010..bhska4; OriginSicName: cn=cp_mgmt,o=SMS8010..bhska4; HighLevelLogKey: 18446744073709551615; log_sys_message: Log file has been switched to: 2018-09-24_000000.log; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;
Date: Sep 23, 201823:58:04 5 N/A 11 accept GW8010 < eth2 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=GW8010,O=SMS8010..bhska4; OriginSicName: CN=GW8010,O=SMS8010..bhska4; HighLevelLogKey: 18446744073709551615; inzone: Local; outzone: Internal; service_id: domain-udp; src: GW8010; dst: DC16; proto: udp; user: ; src_user_name: ; src_machine_name: ; src_user_dn: ; snid: ; dst_user_name: ; dst_machine_name: firstname.lastname@example.org; dst_user_dn: ; UP_match_table: TABLE_START; ROW_START: 0; match_id: 4; layer_uuid: 1d365ba8-9fb0-4279-8f26-3b0842cccb54; layer_name: GW8010-Composite-Demo Network; rule_uid: 3d2f9eb5-f989-4f61-aaf6-c2d336555e0e; rule_name: For Nessus Scans; action: 2; parent_rule: 0; ROW_END: 0; UP_match_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: domain-udp; sport_svc: 49371; ProductFamily: Network;
fw log can show logs on a gateway if, for some reason, the gateway is unable to reach its management server, or it is configured to log locally.
But generally, that is not the case.
Yep, but in his case, it looks like he is logging to the SMS.
BTW, is it SMS or CMS now?
I think we just call it Security Management
Yeah, right ...unless it is in MDS, in which case it is DMS
This is the gateway:
You are lot logging on the gateway.
Your gateway logging to your management server.
Run the command in clish prompt, not expert mode on your management server and you will see your logs.
Expected behavior for a gateway.
Retrieving data ...