awk weekly – how to see Checkpoint logs on command line

Hey Everyone, I decided to start a weekly column of awk scripting where I will bring interesting (I am being subjective I know) short scripts that made my life easier in dealing with actual problems in the wild or just look cool.

Until recently I had never had any need to work with Checkpoint log files without SmartView Tracker , namely on the command line. But there is always first time . Client complained on some dropped mail traffic and to even say if there is any problem or not I had to look at relevant logs, not a big deal except that I had only ssh access to the firewall . Checkpoint provided for such cases fw log command line log extracting utility that reads the binary log file ( fw.log by default) you feed in and outputs it in human-readable format. That’s good, but its filtering possibilities are quite bad . You can see all available options with fw log –h , but selection is limited to source, start/end time,action (drop/reject/etc) . Not that much to say the least . No port/direction filtering . And specifically it was a very busy firewall – some 80 mbytes of traffic passing through at any given moment and log is the default action on any rule. So using fw log filters would help me not.
Here is how I solved this with the help of awk – I exported to text format all logs using

# fw log -n> fw_log.txt &

Note –n option to fw log here – it prevents resolving IP/ports to names , shortens processing time by ~70%
Then I just used all-powerful awk to search the text file to show the client what was the reason (Exchange in LAN was sending heaps of spam that Anti-Spam stopped at its best but nevertheless some spam leaked and caused RBL blocking of the external firewall IP) :

[Expert@Orlean] # awk ‘/Anti Spam/ && /Internal to External/’ fw_log.txt | awk -F: ‘ {print $5 $6}’
192.168.143.12; dst 65.55.37.88; proto 192.168.143.12; dst 65.55.92.136; proto 192.168.143.12; dst 65.55.92.136; proto 192.168.143.12; dst 203.216.247.184; proto

Here:
External, Internal – UTM appliance interface names and direction of the Anti-Spam scanning
NOTE: exporting logs from binary to text takes a bit of time, depends on situation. Enabling name resolving sky-rocketed the processing time to 15 minutes , but on the other hand gave some additional insight :

Exchange; dst col0-mc2-f.col0.hotmail.com; proto Exchange; dst mx1.hotmail.com; proto Exchange; dst mx1.hotmail.com; proto Exchange; dst mta19.mail.vip.tnz.yahoo.co.jp; proto Exchange; dst bay0-mc2-f.bay0.hotmail.com; proto Exchange; dst mx3.hotmail.com; proto

5/27/2010 05:50:00 AM

Posted by MK | Filed Under | 0 Comments

Comments

0 Responses to "awk weekly – how to see Checkpoint logs on command line"

Post a Comment

Search This Blog

Blog Archive

Total Pageviews