Why do I get strange results when I try to open my Checkpoint log files?


This article applies to:

  • Firewall Suite 4.1x
  • Security Reporting Center 2.1x

Question:

  • Why do I get strange results when I try to open my Checkpoint log files?
  • How do I export Check Point log files into an ASCII text file?

Causes:

This issue is a result of exporting the log files from the GUI. The log files need to be exported via the command line.

Information:

Exporting Check Point Logs

Check Point stores log files in a proprietary binary format that is not directly accessible. In order to analyze these files and create reports, you must export them to an ASCII text file using the log export utility supplied by Check Point.

Check Point maintains two types of log files: fw.log and fw.alog.

  • The fw.log file contains all the information required for reports, except for bandwidth data. 
  • The fw.alog file contains bandwidth data.

When you create the Check Point security policy, set the tracking option to create .log files, or to create both .log and .alog files.

Note: Always use the command line to export Check Point log files. Security Reporting Center cannot parse data that has been exported using the Check Point user interface.

To export Check Point log files:

  1. On the computer where the firewall is installed, open a command prompt.
  2. Switch to the folder where the fw.exe file is located.
    • For version 4.0: \winnt\fw\bin

    • For version 4.1: \winnt\fw1\4.1\bin

  3. Export the log files:
    • To export the fw.log file, type:
      fw logexport -d ; -i fw.log -o log_path\fw.log

    • To export the fw.alog file, type:
      fw logexport -d ; -i fw.alog -o log_path\fw.alog

Make sure that Security Reporting Center can access the log files. Either map a drive to the firewall from the computer running Security Reporting Center, or copy the log files to another computer accessible to Security Reporting Center.

This article was previously published as:
NETIQKB40349

Last Modified 4/10/2006.
https://support.trustwave.com/kb/KnowledgebaseArticle10947.aspx