RE: Checkpoint log forwarding. (Solution)

[Luke Butcher]

Title: RE: Checkpoint log forwarding.

I have cracked it, here is the solution.

First thanks to Lance Spitzner's excellent site here http://www.enteract.com/~lspitz, helped me immensely with the script side of things, also the service logic.

 

Firstly modify the User defined rule to run your script (/usr/local/bin/custom_log or whatever)

Now modify your syslog.conf to send whatever trap you desire to an external syslog host (local1.*   @192.168.0.1)

Now the hard part, copy the below script to the file setup in step 1.

Lastly modify the script as you see fit, should be fairly easy to work out.

 

Hope this helps someone else.

 

Regards,

Luke Butcher
Em: [EMAIL PROTECTED]

 

----- Code Excerpt below -----

#!/bin/sh

 

umask=177
PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin
export PATH

 

message=/tmp/.message_$$
if [ -f $message ]; then
  rm $message
fi

 

trap "rm $message ; exit 5" 1 2 15

 

cat - | tail -1 > $message

 

src_ip=`awk '{print $10}' $message`
dst_ip=`awk '{print $12}' $message`

 

### Determine service (check some variables first)
nat_check=`grep -c "(Valid Address)" $message`
icmp_check=`grep -c " icmp " $message`

 

if [ "$nat_check" -eq 0 ];then
  if [ "$icmp_check" -eq 0 ];then
    service=`awk '{print $14}' $message`
  else
    service=`awk '{print $15,$16,$17,$18}' $message`
  fi
else
  if [ "$icmp_check" -eq 0 ];then
    service=`awk '{print $16}' $message`
  else
    service=`awk '{print $17,$18,$19,$20}' $message`
  fi
fi

 

# Send the stuff to the logs
/bin/logger -p local1.debug $src_ip to $dst_ip: $service

 

# Done!
rm $message
exit 0

--8x-- some snipping --8x-- 
> > -----Original Message-----
> > To: [EMAIL PROTECTED]
> > Subject:    Checkpoint log forwarding.
> >
> > I have had a look at phone boy, and haven't turned up the
> answer so I  thought I'd post here.
> >
> > I'm looking to forward logs to a central server, I have syslog
> > successfully running on this server.
> >
> > I modified the Checkpoint box (nokia) to forward all  local1.* rules to it  (@10.0.0.1)
> > re-hupped and tested:
> >   logger -p local1.info This is a test
> >
> > Works perfectly, I then setup a User defined rule as:
> >   $FWDIR/bin/logger -p local1.info Test2
> > and applied this to a test rule:
> >   on echo request from my PC to the FW pass and do user
> defined alert.
> >
> > Works a treat, the problem I have is this - I would like a more
> > informative message to be passed to syslog. Ideally $_ (to
> use a Perl syntax). But at least the rule that tripped the alert and
> maybe the src address etc.
> >
> > Is there any information about variables that can be used
> in User defined rules? This facility has great potential but without this
> sort of thing is next to useless.



E-mail Disclaimer


Nabarro Nathanson

Principal office:

Lacon House, Theobalds Road
London WC1X 8RW
Tel: +44 (0)20 7524 6000 Fax: +44(0)20 7524 6524

NOTICE

This message contains confidential (and potentially legally privileged) information solely for its intended recipients and others may not distribute, copy or use it. If you have received this communication in error please tell us either by return e-mail or at the numbers above and delete it, and any copies of it.

The contents of this e-mail are subject to the firms Terms of Business copies of which are available on our website.

We have taken steps to ensure that this message (and any attachments or hyperlinks contained within it) are free from computer viruses and the like. However, in accordance with good computing practice the recipient is responsible for ensuring that it is actually virus free before opening it.

Regulated by the Law Society. A list of partners is available at the address above or on our website, http://www.nabarro.com