[logs] Checkpoint Firewall rulebase - logs
James
jimbob.coffey at gmail.com
Mon Aug 6 16:40:01 PDT 2007
On 8/6/07, Mordechai T. Abzug <morty at frakir.org> wrote:
> > Another issue with exporting logs via the logger method is that you
> > cannot disable service name resolution (or at least I have lost the
> > switch how to disable it).
>
> IIRC, you can do this with -n. Google confirms [curiously, a post by
> tbird]:
>
> http://www.splunk.com/base/Checkpoint/30987
Unfortunately not (at least on NGX). -n disables hostname resolution
but not service name resolution <sigh>. A trick I have mentioned to
tbird is to name your services
<protocol>_<port_number>
eg tcp_80
but sometimes you will get stomped on by checkpoints default services.
LEA looks like the way to go and when I get around to it I will put an
rfi into checkpoint to add a switch to fw log to disable service name
reolution so that the logs will actually be useful (in a multi vendor
or SIM SEM environment).
Unless someone allready knows a way ...
--
jac
More information about the LogAnalysis
mailing list