SourceFiles.org - Use the Source, Luke
Home | Register | News | Forums | Guide | MyLinks | Bookmark

Sponsored Links

Latest News
  General News
  Reviews
  Press Releases
  Software
  Hardware
  Security
  Tutorials
  Off Topic


Back to files
FW1-LOGGRABBER

Author: Torsten Fellhauer <torsten@fellhauer-web.de> current Version: 1.9.2


Copyright (c) 2004 Torsten Fellhauer <torsten@fellhauer-web.de> All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright

notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright

notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


  1. Prerequisites
  2. How to Build
  3. How to Use
  4. Change History
  5. Features to be implemented
  6. Support me...

  1. Prerequisites
  2. for running FW1-LOGGRABBER

FW1-LOGGRABBER is statically linked and can therefore be run on the following systems:
* Linux (Tested distributions are Red Hat, SuSE and Debian with Kernel Versions 2.2.x and 2.4.x)

  • for experimental MySQL-Support MySQL-Client and Zlib are required * Solaris SPARC (Tested versions are Solaris 8 and 9) * Windows NT/2000/XP (Tested versions are Windows 2000) b) for building FW1-LOGGRABBER

FW1-LOGGRABBER uses API-functions from Checkpoints' OPSEC SDK. In order to be able to build applications which are using this SDK, a very special build environment has to be used. Currently building FW1-LOGGRABBER is supported only for Solaris SPARC platform and the Linux platform.
* Linux

  • Red Hat 6.2
  • gcc 2.95.1
  • Checkpoint OPSEC SDK NG-FP3 for Linux 2.2
  • for experimental MySQL-Support MySQL-Client-Libraries and ZLib-Libraries are required * Solaris SPARC
  • Solaris 8
  • gcc 2.95.2
  • Checkpoint OPSEC SDK NG-FP3 for Solaris SPARC * Windows
  • Windows NT/2000
  • MS Visual Studio 6.0 SP5
  • Checkpoint OPSEC SDK NG-FP3 for Windows NT/2000 2) How to Build
    1. Set up the Build Environment for Linux
      • Install a machine with Red Hat 6.2
      • Download Checkpoints Opsec SDK (NG) for Linux
      • Untar the Opsec SDK and move the Directory to e.g. /opt/CPsdk-NG
      • Compile and install gcc 2.95.1 (install-prefix e.g. /opt/CPsdk-NG/gcc)
      • Untar fw1-loggrabber
      • Copy Makefile.linux to Makefile
      • Edit the Makefile and change the variables CC, LD and PKG_DIR according to your environment
      • uncomment MySQL lines in makefile to enable experimental MySQL-Support
      • Edit the Makefile and change the MYSQL_LIBS variable according to your environment
      • make
    2. Set up the Build Environment for Solaris
      • Install a machine with Solaris 8
      • Download Checkpoints Opsec SDK (NG) for Solaris gcc
      • Untar the Opsec SDK and move the Directory to e.g. /opt/CPsdk-NG
      • Compile and install gcc 2.95.2 (install-prefix e.g. /opt/CPsdk-NG/gcc)
      • Untar fw1-loggrabber
      • Copy Makefile.solaris to Makefile
      • Edit the Makefile and change the variables CC, LD and PKG_DIR according to your environment
      • make
    3. Set up the Build Environment for Windows
      • Use a Windows NT or Windows 2000 Workstation
      • Download Checkpoints Opsec SDK (NG) for Windows NT/2000
      • Unpack the Opsec SDK and move the Directory to e.g. C:\Opsec-SDK
      • Install Microsoft Visual Studio 6.0 SP5
      • Untar fw1-loggrabber
      • Use Visual C++ Project File (fw1-loggrabber.dsp) for preferences
      • build
    4. How to Use
    5. Configure FW1 to enable LEA-Protocol (unauthenticated)

In order to be able to use this tool with a Checkpoint FW-1 installation, the following tasks have to be done:

  • modify $FWDIR/conf/fwopsec.conf and define the port for unauthenticated lea connections. lea_server port 50001
  • bounce FW1 (cpstop / cpstart) to activate changes
  • add rule to policy to enable connections on port 50001 to the FW-1 Management-Server b) Configure FW1 to enable LEA-Protocol (authenticated)

It is a little bit more complicated to configure FW-1 to use authenticated connections. There are tasks to be done on both FW-1 Management-Server and Client-Machine.

  • modify $FWDIR/conf/opsec.conf on the Management-Server and define the port for authenticated lea connections. lea_server auth_port 18184
  • bounce FW1 (cpstop / cpstart) to activate changes
  • Open the Policy Editor (SmartDashboard)
  • Create a new Opsec Application Object
    • Name: e.g. Loggrabber
    • Vendor: User Defined
    • Server Entities: None
    • Client Entities: LEA
    • Initialize Secure Internal Communication (SIC)
    • Enter initial ICA password (e.g. "test")
  • temporarily allow FW1_ica_pull service (18210/tcp) from LEA-Client to FW-1 Management-Server
  • On the client side use the tool opsec_pull_cert (from the opsec-tools.tar.gz Archive on the project page or directly from the Opsec-SDK) to exchange keys between client and server opsec_pull_cert -h <IP of Management-Server>

    -n <Opsec Object Name> -p <password> The result of this command is a certificate file with the name "opsec.p12". for example: opsec_pull_cert -h 192.168.2.254 -n Loggrabber -p test

  • Edit fw1-loggrabber.conf and edit the following parameters:
    • OPSEC_CLIENT_DN: Distinguished Name of Opsec Application Object (e.g. "CN=Loggrabber,O=fw1-ng.fellhauer-web.de..n77jpa")
    • OPSEC_CERTIFICATE: Name of the certificate file (e.g. "opsec.p12")
    • OPSEC_SERVER_DN: Distinguished Name of FW-1 Management Server (e.g. "cn=cp_mgmt,o=fw1-ng.fellhauer-web.de..n77jpa")
    • The exact values you can find within the ICA section of your FW1 objects. c) Usage of FW1-LOGGRABBER

FW1-LOGGRABBER is statically linked and therefore not dependent of OPSEC libraries. The binary can be run on any Linux or Solaris UltraSPARC system. On older SPARC systems (SPARCstation, etc) fw1-loggrabber won't run, because the libraries of the Opsec SDK were compiled for UltraSPARC systems and are not comaptible to the older architecture.

Command-Line Options:

 -s|--server     IP-Address of FW1-Management-Server
 -p|--port       unauthenticated LEA-Port of FW1-Server
 -f|--logfile    exact name of FW1-Logfile or pattern to
                 be matched on FW1-Logfiles.
 -c|--configfile name of the Configurationfile (only needed
                 for authenticated connections (see --auth)
 --resolve       Resolve IP-Addresses to Names (default)
 --noresolve     Do not resolve IP-Addresses to Names
 --showfiles     Only show available FW1-Logfiles and exit.
 --showlogs      Show logdata (default behaviour).
 --auth          Use authenticated connection to connect to FW1.
 --no-auth       Use unauthenticated connection to connect to FW1.
 --2000          Connect to CP FW-1 4.1 (2000). When using 
                 this option, both --auth and --showfiles
                 as well as --filter cannot be used.
 --ng            Connect to CP FW-1 5.x (NG). 
 --filter        Defines one or more filter rules to grab
                 only specific log entries.
 --fields        Defines fields to be printed (see below for
                 list of available fields)
 --online        Start logging in online-mode.
 --offline       Start logging in offline-mode.
 --auditlog      Get data of Audit-Logfile (fw.adtlog)
 --normallog     Get data of normal Logfile (fw.log)
 --fieldnames    Display fieldnames in every line of log output
                 (e.g. "loc=1;time=...")
 --nofieldnames  Display fieldnames in first output line. Log
                 entries are printed as fixed fields separated 
                 by user defined separator.
 --mysql         Enable mysql-mode for storing logs in MySQL-DB
                 (EXPERIMENTAL!)
 --no-mysql      Disable mysql-mode for storing logs in MySQL-DB
 --debug-level   Set debuglevel (0 = no debug information)
 --help          Show usage informations

All these options can also be configured using the configuration file (default: fw1-loggrabber.conf). The precedence of given options is as follows: Commandline-Option, Configfile-Option, Defaultvalue.
I.e. if a option is set in the configuration file, this value overrides the default value, if a option is set on commandline, the value overrides both the value in the configuration file and the default value.

In addition to the parameters which can be specified on commandline, there are some parameters which can only be set within the configuration file. The following list gives a short summary of these parameters:

 MYSQL_HOST        Hostname or IP-Address of MySQL-Server (EXPERIMENTAL)
 MYSQL_USER        Username on MySQL-DB (EXPERIMENTAL)

MYSQL_PASSWORD Password on MySQL-DB (EXPERIMENTAL) MYSQL_DATABASE Name of MySQL-DB (EXPERIMENTAL) RECORD_SEPARATOR Separator of log entry fields. If the separation

                   character occurs within the log entry, the character
                   is escaped by '\'.
 DATEFORMAT        Set the display format of the Time-Entries. You
                   can choose between default Checkpoint format,
                   Unix time (seconds from 1.1.1970) or a standardized
                   format (YYYY-MM-DD hh:mm:ss)

OPSEC_CERTIFICATE Filename of OPSEC-Certificate OPSEC_CLIENT_DN DN of Loggrabber object OPSEC_SERVER_DN DN of FW1 Management Server object

The options --filter and --fields can currently only used on command line.

In order to use the anonymizing tool of LIRE, you should run fw1-loggrabber with the option --noresolve. Otherwise, in some fields of the log entries, names are used instead of IP addresses.

Examples
o fw1-loggrabber -s 192.168.2.254 -p 50001 --showfiles

Show all logfiles that are available on the FW1-Management -Server with the IP-Address 192.168.2.254. The LEAPort the Management-Server is listening for unauthenticated connections is 50001.

  • fw1-loggrabber -s 192.168.2.254 -p 50001 fw1-loggrabber -s 192.168.2.254 -p 18184 --auth

    Show all logentries of the default FW1-Logfile (fw.log) on the FW1-Management-Server with the IP-Address 192.168.2.254 and the LEA-Port 50001. If you want to use authenticated connection, just use the parameter --auth. Probably you then need to specify another port (see your FW-1 configuration). When using the --auth parameter, the configfile fw1-loggrabber.conf must exist.

  • fw1-loggrabber -s 192.168.2.254 -p 18184 --2000 -f fw.log fw1-loggrabber -s 192.168.2.254 -p 18184 --2000 -f fw.alog

    Show all logentries of the default FW1-Logfile (fw.log) respectively the FW1-Accounting-Logfile on FW-1 4.1 (2000) Management-Server with the IP-Address 192.168.2.254 and the LEA-Port 18184. When connecting to a CP FW-1 4.1 Server, you cannot use the parameters --auth or --showfiles.

  • fw1-loggrabber -s 192.168.2.254 -p 50001 -f 2003-03-27_213652.log

    Show all logentries of the specified logfile. If the Logfile doesn't exist on the specified FW1-Management-Server, no entries are returned.

  • fw1-loggrabber -s 192.168.2.254 -p 50001 -f 2003-03

    Show all logentries of all logfiles on the FW1-ManagementServer, that contain the pattern "2003-03", i.e. all LogFiles from March 2003

  • fw1-loggrabber -s 192.168.2.254 -p 50001 --auditlog

    Show all logentries of audit logfile on FW1-Management-Server

  • fw1-loggrabber -s 192.168.2.254 -p 50001 --filter "action=reject"

    Filter the logentries on the server side to grab only log entries of rejected connections. Filtering capabilities are currently only available for connections to FW1-NG. You can use one or more filter arguments. Each argument can be compared to a rule in the firewall policy. The rules are applied one after another and the first that matches will be used. If no rule matches, there is an implicit drop so the log entry will not be shown.

    The following filter parameters are currently implemented:

    • starttime: date string in the format YYYYMMDDhhmmss to show logentries starting on given date.
    • endtime: date string in the format YYYYMMDDhhmmss to show logentries until on given date.
    • action: possible values are "accept", "drop" and "reject". These values can also be combined, e.g. --filter "action=drop,reject"
    • rule: possible values are integer numbers, which specify the rule number according to the FW-Policy. Ranges of rule numbers are also possible. It's also possible to specify more than one rule within one filter, e.g. --filter "rule=10,11,12" --filter "rule=1-5,10,20-30"
    • proto: possible values are "icmp", "tcp" and "udp". Of course, combinations are also possible with this parameter, e.g. --filter "proto=icmp,tcp"
    • service: possible values are integer numbers, which specify the port number of the service. Ranges of port numbers are also possible The usage of service names is not possible so far. --filter "service=22,443" --filter "service=20000-30000,35555"
    • dst/src: possible values are both IP addresses and IP addresses with netmasks. When using netmasks, the usage of CIDR masks is currently not implemented. You can specify more than one value only when using single IP addresses. It's also not possible to mix single IP adresses with IP addresses with netmasks, e.g. --filter "dst=192.168.2.254" --filter "dst=192.168.2.254,192.168.2.253" --filter "dst=192.168.2.0/255.255.255.0" --filter "src=192.168.2.254" --filter "src=192.168.2.254,192.168.2.253" --filter "src=192.168.2.0/255.255.255.0"

You can also combine multiple filter parameters within one filter argument. E.g.
--filter "action=reject;service=23;src=192.168.2.0/24" --filter "action=drop,reject;service=22,443;proto=tcp;rule=1,2,3,4"

  • fw1-loggrabber -s 192.168.2.254 -p 50001 --filter "action=reject" --online fw1-loggrabber -s 192.168.2.254 -p 50001 --auditlog --online

    Using the --online option, log entries are printed in realtime, as they were logged by the Firewall. Past log entries will not be printed, also it's not possible to specify logfilenames. Always the default logfile fw.log will be used. In online mode, FW1-Loggrabber will survive both manual and scheduled logswitch events.

  • fw1-loggrabber -s 192.168.2.254 -p 50001 --fields "time;src;dst"

    With the fields option you can specify the fields to be printed. Please note that only fields that are used in a log entry will be printed, e.g. if you specify "reason" in the fields option but the is no "reason" column in a log entry, the field will not be printed.

    Currently the following fields are supported:

    • for normal logs loc;time;action;orig;alert;i/f_dir;i/f_name;has_accounting; uuid;product;__policy_id_tag;src;s_port;dst;service;tcp_flags; proto;rule;xlatesrc;xlatedst;xlatesport;xlatedport;nat_rulenum; resource;elapsed;packets;bytes;reason;service_name;agent;from; to;sys_msgs;fw_message;Internal_CA:;serial_num:;dn:;icmp-type; icmp-code;msgid;message_info;log_sys_message;session_id:; dns_query;dns_type;scheme:;srckeyid;methods:;peer gateway;IKE:; IKE IDs:;encryption failure:;encryption fail reason:;CookieI; CookieR;start_time;segment_time;client_inbound_packets; client_outbound_packets;client_inbound_bytes;client_outbound_bytes; client_inbound_interface;client_outbound_interface; server_inbound_packets;server_outbound_packets;server_inbound_bytes; server_outbound_bytes;server_inbound_interface; server_outbound_interface;message
    • for audit logs loc;time;action;orig;i/f_dir;i/f_name;has_accounting; uuid;product;ObjectName;ObjectType;ObjectTable;Operation; Uid;Administrator;Machine;Subject;Audit Status; Additional Info;Operation Number;FieldsChanges

If you want other fields to be supported or simply miss some fields in output, please run loggrabber in debug-mode and look for output line telling "Unsupported field".

4) Change History

  • 1.0 - Initial Version (2003/03/30)
    • get all available FW1-Logfiles
    • get data of one or more FW1-Logfiles
  • 1.1 - Bugfix (2003/04/16)
    • when using --noresolve, IP-addresses were printed differently under Linux and Solaris
  • 1.2 - added new feature (2003/04/17)
    • implemented authenticated and encrypted (3DES) Connections using Certificates
  • 1.3 - added new feature (2003/04/22)
    • implemented access to CP FW-1 4.1 (2000)
  • 1.4 - added new feature (2003/05/23)
    • implemented filter rules
  • 1.5 - added new feature (2003/05/27)
    • implemented online mode
  • 1.6 - bugfixes (2003/06/09)
    • error handling
    • code improvement
  • 1.7 - bugfixes (2003/06/11)
    • bugfixes
    • improved filter parser
  • 1.7.1 - WIN32 build
    • some minor modifications for WIN32
  • 1.7.2 - bugfixes and minor improvements (2003/06/19)
    • bugfix in Makefiles
    • bugfix in argument processing
    • bugfix in ipaddress presentation of W32 version
    • implemented online-mode for audit-logs
  • 1.8 - bugfixes and some new features (2003/07/04)
    • bugfix in argument processing
    • bugfixes in logentry output
    • implemented --fields option to print out only certain fields
    • implemented OPSEC event handlers for debugging purposes
    • improved argument processing
    • Improved filter processing ('-' for ranges, e.g. rule=1-9)
  • 1.9.1 - couple of new features (2004/02/15)
    • usage of configfile for all available options
    • implemented option to use user-defined field separator
    • implemented option to show fieldnames in every logentry or once at the beginning of the output
    • rewrite of log output functions
    • implemented experimental MySQL support
    • Filter option to filter on date/time
    • configurable dateformat
    • Implementation of simple filter rules for audit-logs (starttime, endtime and action)
  • 1.9.2 - bugfixes and some new features (2004/07/07)
    • implemented some so far unsupported fields
    • implemented opsec debug informations
    • fixed some bugs in MySQL support
    • implemented authentication type to use different authentication mechanismns (no documented so far, will be documented in man-page which comes with next major release.)
    • implemented opsec error handling 5) Features to be implemented
  • 1.10 (Q3/2004)
    • enhancement of filter rules for audit-logs
    • Option to process all available Logfiles
    • man Page
    • enhanced install process
  • not scheduled
    • Error handling routines (no logfile available)
    • Resolve addresses using ns-calls
    • authentication to FW-1 4.1 (using fw putkey) -> can anybody give me some hints about this?
    • usage of filters with FW-1 4.1 -> filters have to be locally registered to use them

      with FW-1 4.1, but the current Opsec-SDK seems to be buggy on that. 6) Support me...

  • run loggrabber in debug mode, look for "Unsupported field" lines and tell me the field names. Because I have limited access to FW-1 installations I cannot test all available FW-1 features to get all fields by myself.
  • give me some hints on locally registered filters and authentication to FW-1 4.1 (see section 5).
  • give me some feedback on this tool e.g. about sense or nonsense of mysql support.
  • FW1-Loggrabber now and in future is free software. But if you want to show your appreciation or want to increase my motivation, you can do so by ordering something from my wishlist. (http://www.fellhauer-web.de/wishlist.html)


Sponsored Links

Discussion Groups
  Beginners
  Distributions
  Networking / Security
  Software
  PDAs

About | FAQ | Privacy | Awards | Contact
Comments to the webmaster are welcome.
Copyright 2006 Sourcefiles.org All rights reserved.