Hi all, I am trying to report all actions made by some CheckPoint Firewall's. After adjust my decoder, I am trying to write some rules to match all logged firewall actions like: Drop, Accept, Session Auth, etc...
For example to report all drops, I have write this rule: <group name="cpfirewall,"> <rule id="100100" level="0"> <description>CheckPoint Firewall-1 rules grouped.</description> </rule> <rule id="100101" level="5"> <if_sid>100100</if_sid> <action>Drop</action> <description>CheckPoint Firewall-1 drop action event.</description> <group>cpfirewall,drop,</group> </rule> </group> Testing one rule: **Phase 1: Completed pre-decoding. full event: '"294" "28Feb2012" "23:59:14" "Lan2" "CHCKPNT1" "Log" "Drop" "nbname" "nbname" "192.168.1.5" "192.168.1.255" "udp" "" "" "" "" "message_info: Address spoofing" "VPN-1 Power/UTM" "" ""' hostname: 'cosclunode02' program_name: '(null)' log: '"294" "28Feb2012" "23:59:14" "Lan2" "FW-INT-CHCKPNT1" "Log" "Drop" "nbname" "nbname" "192.168.1.5" "192.168.1.255" "udp" "" "" "" "" "message_info: Address spoofing" "VPN-1 Power/UTM" "" ""' **Phase 2: Completed decoding. decoder: 'custom-checkpoint-fw' action: 'Drop' srcip: '192.168.1.5' dstip: '192.168.1.255' proto: 'udp' extra_data: 'message_info: Address spoofing' **Phase 3: Completed filtering (rules). Rule id: '100100' Level: '0' Description: 'CheckPoint Firewall-1 rules grouped.' After this, I have run ossec-reportd test: [root@ossecsrv rules]# cat /data/config/logs/cp.logs | /data/ossec/slave/bin/ossec-reportd -f level 5 2012/03/05 09:11:08 ossec-reportd: INFO: Started (pid: 25097). 2012/03/05 09:11:15 ossec-reportd: INFO: Report completed and zero alerts post-filter ... and: [root@ossecsrv rules]# cat /data/config/logs/cp.logs | /data/ossec/slave/bin/ossec-reportd -f group cpfirewall 2012/03/05 09:12:10 ossec-reportd: INFO: Started (pid: 25097). 2012/03/05 09:12:50 ossec-reportd: INFO: Report completed and zero alerts post-filter ... and [root@ossecsrv rules]# cat /data/config/logs/cp.logs | /data/ossec/slave/bin/ossec-reportd -f group cpfirewall_drop 2012/03/05 09:13:45 ossec-reportd: INFO: Started (pid: 25097). 2012/03/05 09:14:10 ossec-reportd: INFO: Report completed and zero alerts post-filter ... but it doesn't works ... What am I doing wrong??