fwm logexport

Description

Exports a Security log file ($FWDIR/log/*.log) or Audit log file ($FWDIR/log/*.adtlog) to ASCII file.

Note - On Multi-Domain Server, you must run this command in the context of the applicable Domain Management Server (mdsenv <IP Address or Name of Domain Management Server>).

Syntax

fwm logexport -h

fwm [-d] logexport [{-d <Delimiter> | -s}] [-t <Table Delimiter>] [-i <Input File>] [-o <Output File>] [{-f | -e}] [-x <Start Entry Number>] [-y <End Entry Number>] [-z] [-n] [-p] [-a] [-u <Unification Scheme File>] [-m {initial | semi | raw}]

Parameters

Item	Description
`-d`	Runs the command in debug mode. Use only if you troubleshoot the command itself. For complete debug instructions, see the description of the `fwm` process in sk97638.
`-d <`Delimiter`> \| -s`	Specifies the output delimiter between fields of log entries: `-d <`Delimiter`>` - Uses the specified delimiter. `-s` - Uses the ASCII character #255 (non-breaking space) as delimiter. Note - If you do not specify the delimiter explicitly, the default is a semicolon (`;`).
`-t <`Table Delimiter`>`	Specifies the output delimiter inside table field. Table field would look like: ROWx:COL0,ROWx:COL1,ROWx:COL2 and so on Note - If you do not specify the table delimiter explicitly, the default is a comma (`,`).
`-i <`Input File`>`	Specifies the name of the input log file. Notes: This command supports only Security log file (`$FWDIR/log/.log`) and Audit log file (`$FWDIR/log/.adtlog`) If you do not specify the input log file explicitly, the command processes the active Security log file `$FWDIR/log/fw.log`
`-o <`Output File`>`	Specifies the name of the output file. Note - If you do not specify the output log file explicitly, the command prints its output on the screen.
`-f`	After reaching the end of the currently opened log file, continue to monitor the log file indefinitely and export the new entries as well. Note - Applies only to active log file `$FWDIR/log/fw.log` or `$FWDIR/log/fw.adtlog`
`-e`	After reaching the end of the currently opened log file, continue to monitor the log file indefinitely and export the new entries as well. Note - Applies only to active log file `$FWDIR/log/fw.log` or `$FWDIR/log/fw.adtlog`
`-x <`Start Entry Number`>`	Starts exporting the log entries from the specified log entry number and below, counting from the beginning of the log file.
`-y <`End Entry Number`>`	Starts exporting the log entries until the specified log entry number, counting from the beginning of the log file.
`-z`	In case of an error (for example, wrong field value), continue to export log entries. The default behavior is to stop.
`-n`	Do not perform DNS resolution of the IP addresses in the log file (this is the default behavior). This significantly speeds up the log processing.
`-p`	Do not perform resolution of the port numbers in the log file (this is the default behavior). This significantly speeds up the log processing.
`-a`	Exports only Account log entries.
`-u <`Unification Scheme File`>`	Specifies the path and name of the log unification scheme file. The default log unification scheme file is: `$FWDIR/conf/log_unification_scheme.C`
`-m {initial \| semi \| raw}`	Specify the log unification mode: `initial` - Complete unification of log entries. The command exports one unified log entry for each ID. This is the default. If you also specify the `-f` parameter, then the output does not export any updates, but exports only entries that relate to the start of new connections. To export updates as well, use the `semi` parameter. `semi` - Step-by-step unification of log entries. For each log entry, exports entry that unifies this entry with all previously encountered entries with the same ID. `raw` - No log unification. Exports all log entries.

The fwm logexport output appears in tabular format. The first row lists the names of all log fields included in the log entries. Each of the next rows consists of a single log entry, whose fields are sorted in the same order as the first row. If a log entry has no information in a specific field, this field remains empty (as indicated by two successive semi-colons ";;"). You can control which log fields appear in the output of the fwm logexport command:

Step	Description
1	Create the `$FWDIR/conf/logexport.ini` file: `[Expert@MGMT:0]# touch $FWDIR/conf/logexport.ini`
2	Edit the `$FWDIR/conf/logexport.ini` file: `[Expert@MGMT:0]# vi $FWDIR/conf/logexport.ini`
3	To include or exclude the log fields from the output, add these lines in the configuration file: [Fields_Info] included_fields = field1,field2,field3,<REST_OF_FIELDS>,field100 excluded_fields = field10,field11 Where: The `num` field always appears first. You cannot manipulate this field. The `<REST_OF_FIELDS>` is an optional reserved token that refers to a list of fields. If you specify the `-f` parameter, then the `<REST_OF_FIELDS>` is based on a list of fields from the `$FWDIR/conf/logexport_default.C` file. If you do not specify the `-f` parameter, then the `<REST_OF_FIELDS>` is based on the input log file. You can specify only the `included_fields` parameter, only the `excluded_fields` parameter, or both.
4	Save the changes in the file and exit the Vi editor.
5	Run the `fwm logexport` command.

Example 1 - Exporting all log entries

[Expert@MGMT:0]# fwm logexport -i MySwitchedLog.log

Starting... There are 113 log records in the file

num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;LogId;ContextNum;origin_id;ContentVersion;HighLevelLogKey;SequenceNum;log_sys_message;ProductFamily;fg-1_client_in_rule_name;fg-1_client_out_rule_name;fg-1_server_in_rule_name;fg-1_server_out_rule_name;description;status;version;comment;update_service;reason;Severity;failure_impact

0;13Jun2018;19:47:54;CXL1_192.168.3.52;control; ;;daemon;inbound;VPN-1 & FireWall-1;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;2;Log file has been switched to: MyLog.log;Network;;;;;;;;;;;;

1;13Jun2018;19:47:54;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;;;;;;;;;;

... ...

35;13Jun2018;19:55:59;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;Host Redirect;;;;;;;;;

36;13Jun2018;19:56:06;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Started;1.0;<null>;1;;;

... ...

47;13Jun2018;19:57:02;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Failed;1.0;;1;Could not reach "https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy configuration on the gateway.;2;Contracts may be out-of-date

... ...

[Expert@MGMT:0]#

Example 2 - Exporting only log entries with specified numbers

[Expert@MGMT:0]# fwm logexport -i MySwitchedLog.log -x 36 -y 47

Starting... There are 113 log records in the file

37;13Jun2018;19:56:06;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;2;;Network;Default;Default;Host Redirect;;;;;;;;;

... ...

46;13Jun2018;19:56:59;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;Host Redirect;;;;;;;;;

[Expert@MGMT:0]#