fw1_lea2dlf - convert Check Point FireWall-1 NG logs to firewall DLF

fw1_lea2dlf file

fw1_lea2dlf converts Check Point FireWall-1 NG logs into firewall DLF format. Input for this converter is the output of fw1-loggrabber, a simple LEA (Log Export Api) client.

This DLF converter isn't activated by default in Lire. It requires the Date::Manip perl module and the fw1-loggrabber tool. Date::Manip can be installed from CPAN. fw1-loggrabber is available from http://www.fellhauer-web.de/projects/fw1-loggrabber.html

If both of these components are installed, you can activate the fw1_lea DLF conveter by uncommenting its line in the file CW@sysconfdir@/@PACKAGE@/address.cf

Beware! In case you're getting a lot of warnings complaining about UTF-8 characters, looking like:

 all all UNSET fw1_lea2dlf warning Malformed UTF-8 character
  (unexpected non-continuation byte 0x7a, immediately after
  start byte 0xe3) at /usr/lib/perl5/vendor_perl/5.8.0/Date/Manip.pm
  line 5931.

, and your locale is UTF-8 enabled, there is a workaround: Set the LANG and LC_CTYPE environment variables to en_US instead of e.g. en_US.UTF-8. You can do this temporarily within the call of the converter:

 LANG=en_US LC_CTYPE=en_US ./fw12dlf < /your/log/file

fw1-loggrabber is build using OPSEC's Software Development Kit. OPSEC (Open Platform for Security, http://www.opsec.com/) is an open, multi-vendor security framework.

Some notes about fw1-loggrabber quoted here.

 ********************************************************
 FW1-LOGGRABBER

 Author:           Torsten Fellhauer
 current Version:  1.0
 ********************************************************

 1) Prerequisites
 2) How to Build
 3) How to Use
 4) Change History

 ********************************************************

 1) Prerequisites

 a) for running FW1-LOGGRABBER

 FW1-LOGGRABBER is statically linked and can therefore be
 run on the following systems:
 * Linux (Tested distributions are Red Hat, SuSE and De-
   bian with Kernel Versions 2.2.x and 2.4.x)
 * Solaris SPARC (Tested versions are Solaris 8 and 9)
  * Windows NT/2000/XP (currently no W32 of FW1-LOGGRABBER
   is available yet and therefore not yet tested)

 b) for building FW1-LOGGRABBER

 FW1-LOGGRABBER uses API-functions from Checkpoints'
 OPSEC SDK. In order to be able to build applications 
 which are using this SDK, a very special build environ-
 ment has to be used. Currently building FW1-LOGGRABBER is
 supported only for Solaris SPARC platform and the Linux
 platform.
 * Linux
  - Red Hat 6.2
  - gcc 2.95.1
  - Checkpoint OPSEC SDK NG-FP3 for Linux 2.2
 * Solaris SPARC
  - Solaris 8
  - gcc 2.95.2
  - Checkpoint OPSEC SDK NG-FP3 for Solaris SPARC
 * Windows
  - EDITME

 3) How to Use

 a) Configure FW1 to enable LEA-Protocol

 In order to be able to use this tool with a Checkpoint
 FW-1 installation, the following tasks have to be done:

 * modify $FWDIR/conf/fwopsec.conf and define the port 
   for unauthenticated lea connections.
     #  lea_server  auth_port   18184
     lea_server       port       50001
 * bounce FW1 (cpstop / cpstart) to activate changes
 * add rule to policy to enable connections on port 
   50001 to the FW-1 Management-Server

 b) Usage of FW1-LOGGRABBER

 FW1-LOGGRABBER is statically linked and therefore not
 dependent of OPSEC libraries. The binary can be run on
 any Linux or Solaris SPARC system.

 Command-Line Options:
  -s             IP-Address of FW1-Management-Server
  -p             unauthenticated LEA-Port of FW1-Server
  -f             exact name of FW1-Logfile or pattern to
                 be matched on FW1-Logfiles.
  --resolve      Resolve IP-Addresses to Names
  --noresolve    Do not resolve IP-Addresses to Names
  --showfiles    Only show available FW1-Logfiles and exit.
  --debug        Enable debug-mode of FW1-LOGGRABBER

 Examples:
 o fw1-loggrabber -s 192.168.2.254 -p 50001 --showfiles

  Show all logfiles that are available on the FW1-Manage-
  ment-Server with the IP-Address 192.168.2.254. The LEA-
  Port the Management-Server is listening for unauthenti-
  cated connections is 50001.

 o fw1-loggrabber -s 192.168.2.254 -p 50001

  Show all logentries of the default FW1-Logfile (fw.log)
  on the FW1-Management-Server with the IP-Address
  192.168.2.254 and the LEA-Port 50001.

 o fw1-loggrabber -s 192.168.2.254 -p 50001 -f 2003-03-27_213652.log

  Show all logentries of the specified logfile. If the Log-
  file doesn't exist on the specified FW1-Management-Server,
  no entries are returned.

 o fw1-loggrabber -s 192.168.2.254 -p 50001 -f 2003-03

  Show all logentries of all logfiles on the FW1-Management-
  Server, that contain the pattern "2003-03", i.e. all Log-
  Files from March 2003

 o fw1-loggrabber -s 192.168.2.254 -p 50001 -f fw.adtlog

  Show all logentries of audit logfile on FW1-Management-Server

 4) Change History

 * 1.0 - Initial Version (2003/03/30)
  o get all available FW1-Logfiles
  o get data of one or more FW1-Logfiles

 5) Features to be implemented

 * Implementation of authenticated connections
 * Win32 build

To process a log as produced by FW-1:

 $ fw1-loggrabber -s 192.168.2.254 -p 50001 -f fw.log | fw12dlf

fw1_lea2dlf will be rarely used on its own, but is more likely called by lr_log2report:

 $ fw1-loggrabber -s 192.168.2.254 -p 50001 -f fw.log | \
   lr_run lr_log2report fw1_lea

This convertor needs perl's Date::Manip library. It'd better use another module for this, used by more Lire code.

The status and licensing of fw1-loggrabber is unknown.

Unfortunately, Check Point supplies no easily available documentation: http://www.checkpoint.com/support/technical/documents/index.html is password protected. Some notes about the FireWall-1 product are on http://www.checkpoint.com/products/protect/firewall-1.html .

Torsten Fellhauer <torsten@fellhauer-web.de>

$Id: fw1_lea2dlf.in,v 1.6 2004/01/21 07:22:59 wsourdeau Exp $

Copyright (C) 2003 Torsten Fellhauer

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program (see COPYING); if not, check with http://www.gnu.org/copyleft/gpl.html or write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA.