This article applies to:
- Security Reporting Center 2.x
- Firewall Suite 4.x
- Check Point FW-1 4.1 Exported Log Files
- Check Point NG Exported Log Files
Symptoms:
- Reports are displaying inaccurate results.
- Reports are missing data.
- Bandwidth information is missing in reports.
Causes:
The log files analyzed are exported from the Check Point device via the user interface.
Reply:
Exporting Check Point log files can be done two different ways:
- User interface
- Command line
This is important, because exporting log files using these two methods will produce log files in two completely different formats.
Sample - Exported via User Interface:
"425" "6Feb2004" "0:01:12" "VPN-1 & FireWall-1" "eth000" "myfw" "Account" "Accept" "http" "10.1.1.1" "192.168.1.11" "tcp" "22" "1383" "" "segment_time: 6Feb2004 0:01:12; "
"426" "6Feb2004" "0:01:12" "VPN-1 & FireWall-1" "eth000" "myfw" "Log" "Drop" "snmp-read" "10.1.1.1" "255.255.255.255" "udp" "44" "3027" "" ""
"427" "6Feb2004" "0:03:53" "VPN-1 & FireWall-1" "eth000" "myfw" "Account" "Accept" "smtp" "10.1.1.1" "255.255.255.255" "tcp" "19" "3666" "" "segment_time: 6Feb2004 0:03:53; "
"428" "6Feb2004" "0:03:54" "VPN-1 & FireWall-1" "eth000" "myfw" "Log" "Accept" "domain-udp" "10.1.1.1" "192.168.1.1" "udp" "0" "1653" "" ""
"429" "6Feb2004" "0:03:54" "VPN-1 & FireWall-1" "eth000" "myfw" "Log" "Accept" "domain-udp" "10.1.1.1" "192.168.1.1" "udp" "0" "4227" "" ""
"430" "6Feb2004" "0:03:54" "VPN-1 & FireWall-1" "eth000" "myfw" "Log" "Accept" "domain-udp" "10.1.1.1" "10.1.2.2" "udp" "0" "1653" "" ""
"431" "6Feb2004" "0:03:55" "VPN-1 & FireWall-1" "eth000" "myfw" "Log" "Accept" "domain-udp" "10.1.1.1" "150.71.1.1" "udp" "0" "4905" "" ""
"432" "6Feb2004" "0:03:56" "VPN-1 & FireWall-1" "eth000" "myfw" "Log" "Drop" "nbdatagram" "10.1.1.1" "10.1.2.2" "udp" "44" "nbdatagram" "" ""
Sample - Exported via Command Line:
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;log_sys_message;src;dst;proto;rule;service;s_port;icmp-type;icmp-code;Packet data size;Attack Info;attack;message;ip_id;ip_len;ip_offset;fragments_dropped;during_sec;TCP packet out of state;tcp_flags;xlatesrc;xlatedst;NAT_rulenum;NAT_addtnl_rulenum;xlatedport;xlatesport;message_info;sys_message:;DCE-RPC Interface UID
0;6Feb2004;23:59:32;Fw1;log;accept;;eth-s1p00;inbound;VPN-1 & FireWall-1;;10.1.1.1;192.168.1.1;udp;5;UDP-LDAP;3059;;;;;;;;;;;;;;;;;;;;;;
1;6Feb2004;23:59:32;Fw1;log;accept;;eth-s1p00;inbound;VPN-1 & FireWall-1;;10.1.1.1;192.168.1.1;udp;5;UDP-LDAP;3061;;;;;;;;;;;;;;;;;;;;;;
2;6Feb2004;23:59:32;Fw1;log;accept;;eth-s1p00;inbound;VPN-1 & FireWall-1;;10.1.1.1;192.168.1.1;udp;5;UDP-LDAP;3063;;;;;;;;;;;;;;;;;;;;;;
3;6Feb2004;23:59:32;Fw1;log;accept;;eth-s1p00;inbound;VPN-1 & FireWall-1;;10.1.1.1;209.1.1.1;tcp;35;https;1356;;;;;;;;;;;;;;;;;;;;;;
4;6Feb2004;23:59:33;Fw1;log;accept;;eth-s1p00;inbound;VPN-1 & FireWall-1;;10.1.1.1;192.168.4.4;udp;5;UDP-LDAP;3065;;;;;;;;;;;;;;;;;;;;;;
5;6Feb2004;23:59:33;Fw1;log;accept;;eth-s1p00;inbound;VPN-1 & FireWall-1;;10.1.1.1;10.1.2.2;udp;5;UDP-LDAP;3067;;;;;;;;;;;;;;;;;;;;;;
6;6Feb2004;23:59:33;Fw1;log;accept;;eth-s1p00;inbound;VPN-1 & FireWall-1;;10.1.1.1;192.68.12.1;udp;5;UDP-LDAP;3069;;;;;;;;;;;;;;;;;;;;;;
To successfully analyze an exported log file, it MUST be exported via the command line. For instructions on how to do this, see the following Trustwave Knowledgebase article:
Q10346: How do I export Check Point log files?
Once the log file has been exported, you should then be able to create a profile and analyze the log file to see an accurate report.
Notes:
You might not see the same fields in your log file as they are dependant on how the Check Point device has been configured. This is just an example to show the differences between the formats.
- This article was previously published as:
- NETIQKB37602