[logs] Checkpoint Firewall rulebase - logs
Andrew Hay
andrewsmhay at gmail.com
Sun Aug 5 03:45:07 PDT 2007
One thing I'd be careful about is piping the fw log to logger on a
firewall that is under substantial load. Nothing makes your CPU spin
faster than trying to export syslog from a firewall. If at all
possible try using the Checkpoint Log Export API (LEA) to grab the
logs (the SDK is available and if you need more info let me know) from
your SmartCenter Server to reduce load.
Another issue with exporting logs via the logger method is that you
cannot disable service name resolution (or at least I have lost the
switch how to disable it). This means that port 80 traffic will
always show up as HTTP which could cause problems with any custom
parsers you have written or need to write. Using the LEA method
handles this by disabling the resolution on services.
As an alternative to relying on the current logs going into the Check
Point event viewer you could also leverage the Event Log Agent (ELA)
API to insert your own logs into the running Check Point logs.
Hope this helps.
On 05/08/07, Mordechai T. Abzug <morty at frakir.org> wrote:
> On Sat, Aug 04, 2007 at 09:45:54PM -0700, Tina Bird wrote:
>
> > fw.log will also contain records of some system alerts and other
> > significant events.
>
> One trick I've done with FW-1 is a boot script that contains something
> like this at its core:
>
> fw log -ft | logger $LOGGER_OPTIONS &
>
> . . . which means that you get your FW-1 stuff handled by your syslog
> infrastructure instead of needing custom FW-1 handlers.
>
> - Morty
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>
--
Andrew Hay
blog: https://www.andrewhay.ca
email: andrewsmhay || at || gmail.com
More information about the LogAnalysis
mailing list