fwm logexport

Description

Exports a Security log file ($FWDIR/log/*.log) or Audit log file ($FWDIR/log/*.adtlog) to an ASCII file.

Note:

On a Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., you must run this command in the context of the applicable Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.:

mdsenv <IP Address or Name of Domain Management Server>

Syntax

fwm logexport -h

fwm [-d] logexport [{-d <Delimiter> | -s}] [-t <Table Delimiter>] [-i <Input File>] [-o <Output File>] [{-f | -e}] [-x <Start Entry Number>] [-y <End Entry Number>] [-z] [-n] [-p] [-a] [-u <Unification Scheme File>] [-m {initial | semi | raw}]

Parameters

Parameter

Description

-h

Shows the built-in usage.

-d

Runs the command in debug mode.

Use only if you troubleshoot the command itself.

Best Practice - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session.

For complete debug instructions, see the description of the fwm process in sk97638.

-d <Delimiter> | -s

Specifies the output delimiter between fields of log entries:

  • -d <Delimiter> - Uses the specified delimiter.

  • -s - Uses the ASCII character #255 (non-breaking space) as the delimiter.

Note - If you do not specify the delimiter explicitly, the default is a semicolon (;).

-t <Table Delimiter>

Specifies the output delimiter inside table field.

Table field would look like:

ROWx:COL0,ROWx:COL1,ROWx:COL2, and so on

Note - If you do not specify the table delimiter explicitly, the default is a comma (,).

-i <Input File>

Specifies the name of the input log file.

Notes:

  • This command supports only Security log file ($FWDIR/log/*.log) and Audit log file ($FWDIR/log/*.adtlog)

  • If you do not specify the input log file explicitly, the command processes the active Security log file $FWDIR/log/fw.log

-o <Output File>

Specifies the name of the output file.

Note - If you do not specify the output log file explicitly, the command prints its output on the screen.

-f

After reaching the end of the currently opened log file, specifies to continue to monitor the log file indefinitely and export the new entries as well.

Note - Applies only to the active log file: $FWDIR/log/fw.log or $FWDIR/log/fw.adtlog

-e

After reaching the end of the currently opened log file, continue to monitor the log file indefinitely and export the new entries as well.

Note - Applies only to the active log file: $FWDIR/log/fw.log or $FWDIR/log/fw.adtlog

-x <Start Entry Number>

Starts exporting the log entries from the specified log entry number and below, counting from the beginning of the log file.

-y <End Entry Number>

Starts exporting the log entries until the specified log entry number, counting from the beginning of the log file.

-z

In case of an error (for example, wrong field value), specifies to continue the export of log entries.

The default behavior is to stop.

-n

Specifies not to perform DNS resolution of the IP addresses in the log file (this is the default behavior).

This significantly speeds up the log processing.

-p

Specifies to not to perform resolution of the port numbers in the log file (this is the default behavior).

This significantly speeds up the log processing.

-a

Exports only Account log entries.

-u <Unification Scheme File>

Specifies the path and name of the log unification scheme file.

The default log unification scheme file is:

$FWDIR/conf/log_unification_scheme.C

-m {initial | semi | raw}

Specifies the log unification mode:

  • initial - Complete unification of log entries. The command exports one unified log entry for each ID. This is the default.

    If you also specify the "-f" parameter, then the output does not export any updates, but exports only entries that relate to the start of new connections. To export updates as well, use the "semi" parameter.

  • semi - Step-by-step unification of log entries. For each log entry, exports entry that unifies this entry with all previously encountered entries with the same ID.

  • raw - No log unification. Exports all log entries.

The output of the fwm logexport command appears in tabular format.

The first row lists the names of all log fields included in the log entries.

Each of the next rows consists of a single log entry, whose fields are sorted in the same order as the first row.

If a log entry has no information in a specific field, this field remains empty (as indicated by two successive semi-colons ";;").

You can control which log fields appear in the output of the command output:

Step

Instructions

1

Create the $FWDIR/conf/logexport.ini file:

[Expert@MGMT:0]# touch $FWDIR/conf/logexport.ini

2

Edit the $FWDIR/conf/logexport.ini file:

[Expert@MGMT:0]# vi $FWDIR/conf/logexport.ini

3

To include or exclude the log fields from the output, add these lines in the configuration file:

[Fields_Info]
included_fields = field1,field2,field3,<REST_OF_FIELDS>,field100
excluded_fields = field10,field11

Where:

  • You can specify only the included_fields parameter, only the excluded_fields parameter, or both.

  • The num field must always appear first. You cannot manipulate this field.

  • The <REST_OF_FIELDS> is an optional reserved token that refers to a list of fields.

    • If you specify the "-f" parameter, then the <REST_OF_FIELDS> is based on a list of fields from the $FWDIR/conf/logexport_default.C file.

    • If you do not specify the "-f" parameter, then the <REST_OF_FIELDS> is based on the input log file.

4

Save the changes in the file and exit the Vi editor.

5

Export the logs:

fwm logexport <options>

Example 1 - Exporting all log entries

[Expert@MGMT:0]# fwm logexport -i MySwitchedLog.log
Starting... There are 113 log records in the file
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;LogId;ContextNum;origin_id;ContentVersion;HighLevelLogKey;SequenceNum;log_sys_message;ProductFamily;fg-1_client_in_rule_name;fg-1_client_out_rule_name;fg-1_server_in_rule_name;fg-1_server_out_rule_name;description;status;version;comment;update_service;reason;Severity;failure_impact
0;13Jun2018;19:47:54;CXL1_192.168.3.52;control; ;;daemon;inbound;VPN-1 & FireWall-1;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;2;Log file has been switched to: MyLog.log;Network;;;;;;;;;;;;
1;13Jun2018;19:47:54;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;;;;;;;;;;
... ...
35;13Jun2018;19:55:59;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;Host Redirect;;;;;;;;;
36;13Jun2018;19:56:06;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Started;1.0;<null>;1;;;
... ...
47;13Jun2018;19:57:02;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Failed;1.0;;1;Could not reach "https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy configuration on the gateway.;2;Contracts may be out-of-date
... ...
[Expert@MGMT:0]#

Example 2 - Exporting only log entries with specified numbers

[Expert@MGMT:0]# fwm logexport -i MySwitchedLog.log -x 36 -y 47
Starting... There are 113 log records in the file
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;LogId;ContextNum;origin_id;ContentVersion;HighLevelLogKey;SequenceNum;log_sys_message;ProductFamily;fg-1_client_in_rule_name;fg-1_client_out_rule_name;fg-1_server_in_rule_name;fg-1_server_out_rule_name;description;status;version;comment;update_service;reason;Severity;failure_impact
36;13Jun2018;19:56:06;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Started;1.0;<null>;1;;;
37;13Jun2018;19:56:06;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;2;;Network;Default;Default;Host Redirect;;;;;;;;;
... ...
46;13Jun2018;19:56:59;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;Default;Default;Host Redirect;;;;;;;;;
47;13Jun2018;19:57:02;CXL1_192.168.3.52;control; ;;;inbound;Security Gateway/Management;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Failed;1.0;;1;Could not reach "https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy configuration on the gateway.;2;Contracts may be out-of-date
[Expert@MGMT:0]#