fw log

Description fw log displays the content of Log files.

Syntax

> fw log [-f [-t]] [-n] [-l] [-o] [-c <action>] [-h <host>] [-s <starttime>] [-e <endtime>] [-b <starttime> <endtime>] [-u <unification_scheme_file>] [-m {initial|semi|raw}] [-a] [-k {alert_name|all}] [-g] [logfile]

Parameter	Description
`-f [-t]`	After reaching the end of the currently displayed file, do not exit (the default behavior), but continue to monitor the Log file indefinitely and display it while it is being written. The `-t` parameter indicates that the display is to begin at the end of the file, in other words, the display will initially be empty and only new records added later will be displayed. `-t` must come with a `-f` flag. These flags are relevant only for active files.
`-n`	Do not perform DNS resolution of the IP addresses in the Log file (the default behavior). This option significantly speeds up the processing.
`-l`	Display both the date and the time for each log record (the default is to show the date only once above the relevant records, and then specify the time per log record).
`-o`	Show detailed log chains (all the log segments a log record consists of).
`-c <action>`	Display only events whose action is action, that is, `accept`, `drop`, `reject`, `authorize`, `deauthorize`, `encrypt` and `decrypt`. Control actions are always displayed.
`-h <host>`	Display only log whose origin is the specified IP address or name.
`-s <starttime>`	Display only events that were logged after the specified time (see time format below). `starttime` may be a date, a time, or both. If date is omitted, then today's date is assumed.
`-e <endtime>`	Display only events that were logged before the specified time (see time format below). `endtime` may be a date, a time, or both.
`-b <starttime> <endtime>`	Display only events that were logged between the specified start and end times (see time format below), each of which may be a date, a time, or both. If date is omitted, then today's date is assumed. The start and end times are expected after the flag.
`-u <unification_scheme_file>`	Unification scheme file name.
`-m`	This flag specifies the unification mode. `initial` - the default mode, specifying complete unification of log records; that is, output one unified record for each id. This is the default. When used together with `-f`, no updates will be displayed, but only entries relating to the start of new connections. To display updates, use the `semi` parameter. `semi` - step-by-step unification, that is, for each log record, output a record that unifies this record with all previously-encountered records with the same id. `raw` - output all records, with no unification.
`-a`	Output account log records only.
`-k {<alert_name>\|all}`	Display only events that match a specific alert type. The default is `all`, for any alert type.
`-g`	Do not use a delimited style. The default is: `:` after field name `;` after field value
`logfile`	Use `logfile` instead of the default Log file. The default Log File is `$FWDIR/log/fw.log`.

Where the full date and time format is: MMM DD, YYYY HH:MM:SS. For example: May 26, 1999 14:20:00

It is possible to specify date only in the format MMM DD, YYYY, or time only, in the format: HH:MM:SS, where time only is specified, the current date is assumed.

Example

> fw log
> fw log | more
> fw log -c reject
> fw log -s "May 26, 1999"
> fw log -f -s 16:00:00

Output [<date>] <time> <action> <origin> <interface dir and name> [alert] [field name: field value;] ...

Each output line consists of a single log record, whose fields appear in the format shown above.

Example Output

14:56:39 reject jam.checkpoint.com >daemon alert src: veredr.checkpoint.com;
dst: jam.checkpoint.com; user: a; rule: 0; reason: Client Encryption: Access
denied - wrong user name or password ; scheme: IKE; reject_category:
Authentication error; product: Security Gateway

14:57:49 authcrypt jam.checkpoint.com >daemon src: veredr.checkpoint.com;
user: a; rule: 0; reason: Client Encryption: Authenticated by Internal
Password; scheme: IKE; methods: AES-256,IKE,SHA1; product: Security Gateway;

14:57:49 keyinst jam.checkpoint.com >daemon src: veredr.checkpoint.com;
peer gateway: veredr.checkpoint.com; scheme: IKE; IKE: Main Mode completion.;
CookieI: 32f09ca38aeaf4a3; CookieR: 73b91d59b378958c; msgid: 47ad4a8d; methods:
AES-256 + SHA1, Internal Password; user: a; product: Security Gateway;