fw log

Description

Shows the content of Check Point log files - Security ($FWDIR/log/*.log) or Audit ($FWDIR/log/*.adtlog).

Syntax

fw log {-h | -help}

fw [-d] log [-a] [-b "<Start Timestamp>" "<End Timestamp>"] [-c <Action>] [{-f | -t}] [-g] [-H] [-h <Origin>] [-i] [-k {<Alert Name> | all}] [-l] [-m {initial | semi | raw}] [-n] [-o] [-p] [-q] [-S] [-s "<Start Timestamp>"] [-e "<End Timestamp>"] [-u <Unification Scheme File>] [-w] [-x <Start Entry Number>] [-y <End Entry Number>] [-z] [-#] [<Log File>]

Parameters

Parameter	Description
`{-h \| -help}`	Shows the built-in usage. Note - The built-in usage does not show some of the parameters described in this table.
`-d`	Runs the command in debug mode. Use only if you troubleshoot the command itself. Note - If you use this parameter, then redirect the output to a file, or use the `script` command to save the entire CLI session.
`-a`	Shows only Account log entries.
`-b "<`Start Timestamp`>" "<`End Timestamp`>"`	Shows only entries that were logged between the specified start and end times. The `<`Start Timestamp`>` and `<`End Timestamp`>` may be a date, a time, or both. If date is omitted, then the command assumes the current date. Enclose the "`<`Start Timestamp`>"` and `"<`End Timestamp`>` in single or double quotes (`-b 'XX' 'YY"`, or `-b "XX" "YY`). You cannot use the "`-b`" parameter together with the "`-s`" or "`-e`" parameters. See the date and time format below.
`-c <`Action`>`	Shows only events with the specified action. One of these: `accept` `drop` `reject` `encrypt` `decrypt` `vpnroute` `keyinst` `authorize` `deauthorize` `authcrypt` `ctl` Notes: The `fw log` command always shows the Control (`ctl`) actions. For login action, use the `authcrypt`
`-e "<`End Timestamp`>"`	Shows only entries that were logged before the specified time. Notes: The `<`End Timestamp`>` may be a date, a time, or both. Enclose the `<`End Timestamp`>` in single or double quotes (`-e '...'`, or `-e "..."`). You cannot use the "`-e`" parameter together with the "`-b`" parameter. See the date and time format below.
`-f`	Shows the saved entries that match the specified conditions. After the command reaches the end of the currently opened log file, it continues to monitor the log file indefinitely and shows the new entries that match the specified conditions. Note - Applies only to active log file `$FWDIR/log/fw.log` or `$FWDIR/log/fw.adtlog`
`-g`	Does not show delimiters. The default behavior is: Show a colon (:) after a field name Show a semi-colon (;) after a field value
`-H`	Shows the High Level Log key.
`-h <`Origin`>`	Shows only logs that were generated by the Security Gateway with the specified IP address or object name (as configured in SmartConsole).
`-i`	Shows log UID.
`-k {<`Alert Name`> \| all}`	Shows entries that match a specific alert type: `<`Alert Name`>` - Show only entries that match a specific alert type: `alert` `mail` `snmp_trap` `spoof` `user_alert` `user_auth` `all` - Show entries that match all alert types (this is the default).
`-l`	Shows both the date and the time for each log entry. The default is to show the date only once above the relevant entries, and then specify the time for each log entry.
`-m`	Specifies the log unification mode: `initial` - Complete unification of log entries. The command shows one unified log entry for each ID. This is the default. If you also specify the `-f` parameter, then the output does not show any updates, but shows only entries that relate to the start of new connections. To shows updates, use the `semi` parameter. `semi` - Step-by-step unification of log entries. For each log entry, the output shows an entry that unifies this entry with all previously encountered entries with the same ID. `raw` - No log unification. The output shows all log entries.
`-n`	Does not perform DNS resolution of the IP addresses in the log file (this is the default behavior). This significantly speeds up the log processing.
`-o`	Shows detailed log chains - shows all the log segments in the log entry.
`-p`	Does not perform resolution of the port numbers in the log file (this is the default behavior). This significantly speeds up the log processing.
`-q`	Shows the names of log header fields.
`-S`	Shows the Sequence Number.
`-s "<`Start Timestamp`>"`	Shows only entries that were logged after the specified time. Notes: The `<`Start Timestamp`>` may be a date, a time, or both. If the date is omitted, then the command assumed the current date. Enclose the `<`Start Timestamp`>` in single or double quotes (`-s '...'`, or `-s "..."`). You cannot use the "`-s`" parameter together with the "`-b`" parameter. See the date and time format below.
`-t`	Does not show the saved entries that match the specified conditions. After the command reaches the end of the currently opened log file, it continues to monitor the log file indefinitely and shows the new entries that match the specified conditions. Note - Applies only to active log file `$FWDIR/log/fw.log` or `$FWDIR/log/fw.adtlog`
`-u <`Unification Scheme File`>`	Specifies the path and name of the log unification scheme file. The default log unification scheme file is: `$FWDIR/conf/log_unification_scheme.C`
`-w`	Shows the flags of each log entry (different bits used to specify the "nature" of the log - for example, control, audit, accounting, complementary, and so on).
`-x <`Start Entry Number`>`	Shows only entries from the specified log entry number and below, counting from the beginning of the log file.
`-y <`End Entry Number`>`	Shows only entries until the specified log entry number, counting from the beginning of the log file.
`-z`	In case of an error (for example, wrong field value), continues to show log entries. The default behavior is to stop.
`-#`	Show confidential logs in clear text.
`<`Log File`>`	Specifies the log file to read. If you do not specify the log file explicitly, the command opens the `$FWDIR/log/fw.log` log file. You can specify a switched log file.

Date and Time format

Part of timestamp	Format	Example
Date only	`MMM DD, YYYY`	`June 11, 2018`
Time only Note - In this case, the command assumes the current date.	`HH:MM:SS`	`14:20:00`
Date and Time	`MMM DD, YYYY HH:MM:SS`	`June 11, 2018 14:20:00`

Part of timestamp

Format

Example

Date only

MMM DD, YYYY

June 11, 2018

Time only

Note - In this case, the command assumes the current date.

HH:MM:SS

14:20:00

Date and Time

MMM DD, YYYY HH:MM:SS

June 11, 2018 14:20:00

Output

Each output line consists of a single log entry, whose fields appear in this format:

Note - The fields that show depends on the connection type.

HeaderDateHour ContentVersion HighLevelLogKey Uuid SequenceNum Flags Action Origin IfDir InterfaceName LogId ...

This table describes some of the fields:

Field Header	Description	Example
`HeaderDateHour`	Date and Time	`12Jun2018 12:56:42`
`ContentVersion`	Version	`5`
`HighLevelLogKey`	High Level Log Key	`<max_null>`, or empty
`Uuid`	Log UUID	`(0x5b1f99cb,0x0,0x3403a8c0,0xc0000000)`
`SequenceNum`	Log Sequence Number	`1`
`Flags`	Internal flags that specify the "nature" of the log - for example, control, audit, accounting, complementary, and so on	`428292`
`Action`	Action performed on this connection	`accept` `dropreject` `encrypt` `decrypt` `vpnroute` `keyinst` `authorize` `deauthorize` `authcrypt` `ctl`
`Origin`	Object name of the Security Gateway that generated this log	`MyGW`
`IfDir`	Traffic direction through interface: `<` - Outbound (sent by a Security Gateway) `>` - Inbound (received by a Security Gateway)	`<` `>`
`InterfaceName`	Name of the Security Gateway interface, on which this traffic was logged If a Security Gateway performed some internal action (for example, log switch), then the log entry shows `daemon`	`eth0` `daemon` `N/A`
`LogId`	Log ID	`0`
`Alert`	Alert Type	`alert` `mail` `snmp_trap` `spoof` `user_alert` `user_auth`
`OriginSicName`	SIC name of the Security Gateway that generated this log	`CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x`
`inzone`	Inbound Security Zone	`Local`
`outzone`	Outbound Security Zone	`External`
`service_id`	Name of the service used to inspect this connection	`ftp`
`src`	Object name or IP address of the connection's source computer	`MyHost`
`dst`	Object name or IP address of the connection's destination computer	`MyFTPServer`
`proto`	Name of the connection's protocol	`tcp`
`sport_svc`	Source port of the connection	`64933`
`ProductName`	Name of the Check Point product that generated this log	`VPN-1 & FireWall-1` `Application Control` `FloodGate-1`
`ProductFamily`	Name of the Check Point product family that generated this log	`Network`

Example 1 - Show all log entries with both the date and the time for each log entry.

fw log -l

Example 2 - Show all log entries that start after the specified timestamp

[Expert@MyGW:0]# fw log -l -s "June 12, 2018 12:33:00"

12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x; fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default; fg-1_server_in_rule_name: Host Redirect; fg-1_server_out_rule_name: ; ProductName: FG; ProductFamily: Network;

12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table: TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933; ProductFamily: Network;

... ... ...

[Expert@MyGW:0]#

Example 3 - Show all log entries between the specified timestamps

[Expert@MyGW:0]# fw log -l -b "June 12, 2018 12:33:00" 'June 12, 2018 12:34:00'

12Jun2018 12:33:45 5 N/A 1 ctl MyGW > LogId: <max_null>; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x; description: Contracts; reason: Could not reach "https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy configuration on the gateway.; Severity: 2; status: Failed; version: 1.0; failure_impact: Contracts may be out-of-date; update_service: 1; ProductName: Security Gateway/Management; ProductFamily: Network;

[Expert@MyGW:0]#

Example 4 - Show all log entries with action "drop"

[Expert@MyGW:0]# fw log -l -c drop

[Expert@MyGW:0]#

Example 5 - Show all log entries with action "drop", show all field headers, and show log flags

[Expert@MyGW:0]# fw log -l -q -w -c drop

HeaderDateHour: 12Jun2018 12:33:39; ContentVersion: 5; HighLevelLogKey: <max_null>; LogUid: ; SequenceNum: 1; Flags: 428292; Action: drop; Origin: MyGW; IfDir: <; InterfaceName: eth0; Alert: ; LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x; inzone: Local; outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp; UP_match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid: 4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy Network; rule_uid: 802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table: TABLE_END; UP_action_table: TABLE_START; ROW_START: 0; action: 0; ROW_END: 0; UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc: 64933; ProductFamily: Network;

[Expert@MyGW:0]#

Example 6 - Show only log entries from 0 to 10 (counting from the beginning of the log file)

[Expert@MyGW:0]# fw log -l -x 0 -y 10

... ...

[Expert@MyGW:0]#