fw logswitch

Description fw logswitch creates a new active Log File. The current active Log File is closed and renamed by default $FWDIR/log/<current_time_stamp>.log unless you define an alternative name that is unique. The format of the default name <current_time_stamp>.log is YYYY-MM-DD_HHMMSS.log. For example: 2003-03-26_041200.log

Warning:

• The Logswitch operation fails if a log file is given a pre-existing file name.
• The rename operation fails on Windows if the active log that is being renamed, is open at the same time that the rename operation is taking place; however; the Logswitch will succeed and the file will be given the default name $FWDIR/log/current_time_stamp.log.

The new Log File that is created is given the default name $FWDIR/log/fw.log. Old Log Files are located in the same directory.

A Security Management server can use fw logswitch to change a Log File on a remote machine and transfer the Log File to the Security Management server. This same operation can be performed for a remote machine using fw lslogs and fw fetchlogs.

When a log file is sent to the Security Management server, the data is compressed.

Syntax

> fw logswitch [-audit] [<filename>]
> fw logswitch -h <host> [+<filename>|-<filename>]

Parameter	Description
-audit	Does logswitch for the Security Management server audit file. This is relevant for local activation.
<filename>	The name of the file to which the log is saved. If no name is specified, a default name is provided.
-h <host>	The resolvable name or IP address of the remote machine (running either a Security Gateway or a Security Management server) on which the Log File is located. The Security Management server (on which the fw logswitch command is executed) must be defined as one of host's Security Management servers. In addition, you must initialize SIC between the Security Management server and the host.
+	Change a remote log and copy it to the local machine.
-	Change a remote log and move it to the local machine thereby deleting the log from the remote machine.

Comments Files are created in the $FWDIR/log directory on both host and the Security Management server when the + or - parameters are specified. Note that if - is specified, the Log File on the host is deleted rather than renamed.

host specified:

• filename specified - On host, the old Log File is renamed to old_log. On the Security Management Server, the copied file will have the same name, prefixed by host name. For example, the command fw logswitch -h venus +xyz creates a file named venus_xyz.log on the Security Management Server.
• filename not specified - On host, the new name is
  the current date, for example: 2003-03-26_041200.log.
  On the Security Management Server, the copied file will have the same name, but prefixed by host_. For example, target_2003-03-26_041200.log.

host not specified:

• filename specified - On the Security Management Server, the old Log File is renamed to old_log.
• filename not specified - On the Security Management Server, the old Log File is renamed to the current date.

Compression

When log files are transmitted from one machine to another, they are compressed using the zlib package, a standard package used in the Unix gzip command (see RFC 1950 to RFC 1952 for details). The algorithm is a variation of LZ77 method.

The compression ratio varies with the content of the log records and is difficult to predict. Binary data are not compressed, but string data such as user names and URLs are compressed.