SYNOPSIS
fw1_lea2dlf fileDESCRIPTION
fw1_lea2dlf converts Check Point FireWall-1 NG logs into firewall DLF format. Input for this converter is the output of fw1-loggrabber, a simple LEA (Log Export Api) client.ACTIVATION INSTRUCTIONS
This DLF converter isn't activated by default in Lire. It requires the Date::Manip perl module and the fw1-loggrabber tool. Date::Manip can be installed from CPAN. fw1-loggrabber is available from http://sourceforge.net/projects/fw1-loggrabber .If both of these components are installed, you can activate the fw1_lea DLF conveter by uncommenting its line in the file @sysconfdir@/@PACKAGE@/address.cf
OTHER NOTES
Beware! In case you're getting a lot of warnings complaining about UTF-8 characters, looking like:
all all UNSET fw1_lea2dlf warning Malformed UTF-8 character (unexpected non-continuation byte 0x7a, immediately after start byte 0xe3) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm line 5931.
, and your locale is UTF-8 enabled, there is a workaround: Set the LANG and LC_CTYPE environment variables to en_US instead of e.g. en_US.UTF-8. You can do this temporarily within the call of the converter:
LANG=en_US LC_CTYPE=en_US ./fw12dlf < /your/log/file
fw1-loggrabber
fw1-loggrabber is build using OPSEC's Software Development Kit. OPSEC (Open Platform for Security, http://www.opsec.com/) is an open, multi-vendor security framework.Some notes about fw1-loggrabber quoted here.
******************************************************** FW1-LOGGRABBER Author: Torsten Fellhauer current Version: 1.0 ******************************************************** 1) Prerequisites 2) How to Build 3) How to Use 4) Change History ******************************************************** 1) Prerequisites a) for running FW1-LOGGRABBER FW1-LOGGRABBER is statically linked and can therefore be run on the following systems: * Linux (Tested distributions are Red Hat, SuSE and De- bian with Kernel Versions 2.2.x and 2.4.x) * Solaris SPARC (Tested versions are Solaris 8 and 9) * Windows NT/2000/XP (currently no W32 of FW1-LOGGRABBER is available yet and therefore not yet tested) b) for building FW1-LOGGRABBER FW1-LOGGRABBER uses API-functions from Checkpoints' OPSEC SDK. In order to be able to build applications which are using this SDK, a very special build environ- ment has to be used. Currently building FW1-LOGGRABBER is supported only for Solaris SPARC platform and the Linux platform. * Linux - Red Hat 6.2 - gcc 2.95.1 - Checkpoint OPSEC SDK NG-FP3 for Linux 2.2 * Solaris SPARC - Solaris 8 - gcc 2.95.2 - Checkpoint OPSEC SDK NG-FP3 for Solaris SPARC * Windows - EDITME 3) How to Use a) Configure FW1 to enable LEA-Protocol In order to be able to use this tool with a Checkpoint FW-1 installation, the following tasks have to be done: * modify $FWDIR/conf/fwopsec.conf and define the port for unauthenticated lea connections. # lea_server auth_port 18184 lea_server port 50001 * bounce FW1 (cpstop / cpstart) to activate changes * add rule to policy to enable connections on port 50001 to the FW-1 Management-Server b) Usage of FW1-LOGGRABBER FW1-LOGGRABBER is statically linked and therefore not dependent of OPSEC libraries. The binary can be run on any Linux or Solaris SPARC system. Command-Line Options: -s IP-Address of FW1-Management-Server -p unauthenticated LEA-Port of FW1-Server -f exact name of FW1-Logfile or pattern to be matched on FW1-Logfiles. --resolve Resolve IP-Addresses to Names --noresolve Do not resolve IP-Addresses to Names --showfiles Only show available FW1-Logfiles and exit. --debug Enable debug-mode of FW1-LOGGRABBER Examples: o fw1-loggrabber -s 192.168.2.254 -p 50001 --showfiles Show all logfiles that are available on the FW1-Manage- ment-Server with the IP-Address 192.168.2.254. The LEA- Port the Management-Server is listening for unauthenti- cated connections is 50001. o fw1-loggrabber -s 192.168.2.254 -p 50001 Show all logentries of the default FW1-Logfile (fw.log) on the FW1-Management-Server with the IP-Address 192.168.2.254 and the LEA-Port 50001. o fw1-loggrabber -s 192.168.2.254 -p 50001 -f 2003-03-27_213652.log Show all logentries of the specified logfile. If the Log- file doesn't exist on the specified FW1-Management-Server, no entries are returned. o fw1-loggrabber -s 192.168.2.254 -p 50001 -f 2003-03 Show all logentries of all logfiles on the FW1-Management- Server, that contain the pattern "2003-03", i.e. all Log- Files from March 2003 o fw1-loggrabber -s 192.168.2.254 -p 50001 -f fw.adtlog Show all logentries of audit logfile on FW1-Management-Server 4) Change History * 1.0 - Initial Version (2003/03/30) o get all available FW1-Logfiles o get data of one or more FW1-Logfiles 5) Features to be implemented * Implementation of authenticated connections * Win32 build
EXAMPLES
To process a log as produced by FW-1:
$ fw1-loggrabber -s 192.168.2.254 -p 50001 -f fw.log | fw12dlf
fw1_lea2dlf will be rarely used on its own, but is more likely called by lr_log2report:
$ fw1-loggrabber -s 192.168.2.254 -p 50001 -f fw.log | \ lr_log2report fw1_lea
BUGS / TO DO
This convertor needs perl's Date::Manip library. It'd better use another module for this, used by more Lire code.The status and licensing of fw1-loggrabber is unknown.
AUTHORS
Torsten Fellhauer <[email protected]>VERSION
$Id: fw1_lea2dlf.in,v 1.9 2006/07/23 13:16:35 vanbaal Exp $COPYRIGHT
Copyright (C) 2003 Torsten FellhauerThis program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program (see COPYING); if not, check with http://www.gnu.org/copyleft/gpl.html.