awk weekly - how to see Checkpoint logs on command line
Until recently I had never had any need to work with Checkpoint log files without SmartView Tracker. But there is always first time . Client complained on some dropped mail traffic and to even say if there is any problem or not I had to look at relevant logs, not a big deal except that I had only ssh access to the firewall . Checkpoint provided for such cases fw log log extracting utility that reads the binary log file (fw.log by default) you feed and outputs it in human-readable format. That’s good, but its filtering possibilities are quite bad . You can see all available options with fw log –h, but selection is limited to source, start/end time,action (drop/reject/etc) . No port or direction filtering . And specifically it was a busy firewall – some 80 mbytes of traffic passing at any given moment and log is the default action on all rules. So using fw log filters would help me not.
Here is how I solved this with the help of awk:
- I exported to text format file all logs using:
# fw log -n> fw_log.txt &
Note –n option to fw log here – it prevents resolving IP/ports to names , which shortens processing time by ~70%.
- Then I just used all-powerful awk to search the text file to show the client what was the reason (Exchange in LAN was sending heaps of spam that Anti-Spam stopped at its best but nevertheless some spam leaked and caused RBL blocking of the external Checkpoint firewall IP) :
[Expert@Orlean] # awk '/Anti Spam/ && /Internal to External/' fw_log.txt | awk -F: ' {print $5 $6}'
192.168.143.12; dst 65.55.37.88; proto
192.168.143.12; dst 65.55.92.136; proto
192.168.143.12; dst 65.55.92.136; proto
192.168.143.12; dst 203.216.247.184; proto
Here:
External, Internal - UTM appliance interface names and direction of the Anti-Spam scanning.
NOTE: exporting logs from binary to text takes a bit of time, depends on situation. Enabling name resolving sky-rocketed the processing time to 15 minutes , but on the other hand gave some additional insight :
Exchange; dst col0-mc2-f.col0.hotmail.com; proto
Exchange; dst mx1.hotmail.com; proto
Exchange; dst mx1.hotmail.com; proto
Exchange; dst mta19.mail.vip.tnz.yahoo.co.jp; proto
Exchange; dst bay0-mc2-f.bay0.hotmail.com; proto
Exchange; dst mx3.hotmail.com; proto
Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.