fw1-loggrabber - a command line LEA-client for Checkpoint Firewall-1

Transcription

1 FW1-LOGGRABBER Section: Misc. Reference Manual Pages (February 2005) Updated: Unix NAME fw1-loggrabber - a command line LEA-client for Checkpoint Firewall-1 SYNOPSIS fw1-loggrabber [--options] DESCRIPTION fw1-loggrabber is a commandline LEA client is a command-line LEA-client for Checkpoint FW-1. Using this tool, it's possible to get FW-1 logging data from remote using Checkpoints proprietary LEA protocol, which is a part of their OPSEC API. The idea for fw1-loggrabber was born due to the need of analysing Checkpoint FW-1 log data using LIRE ( Meanwhile their are a lot of additional features, which hopefully ease daily work of many firewall administrators. AVAILABLE VERSIONS The following versions of fw1-loggrabber are available on loggrabber: - Sourcecode distribution - Linux-binary (x86) distribution without ODBC-support - Linux-binary (x86) distribution with ODBC-support using statically linked iodbclibraries - Linux-binary (x86) distribution with ODBC-support using statically linked unixodbclibraries - Solaris-binary (SPARC) distribution without ODBC-support - Solaris-binary (SPARC) distribution with ODBC-support using statically linked iodbc-libraries

2 - Solaris-binary (SPARC) distribution with ODBC-support using statically linked unixodbc-libraries - Windows-binary distribution with ODBC-support using Microsoft ODBC-libraries PREREQUISITES fw1-loggrabber is statically linked and runs on the following platforms. If you run fw1- loggrabber on another distribution, version or kernel version, please send me a mail describing your environment. - Linux - tested distributions are Red Hat, SuSE and Debian with Kernel 2.2.x and 2.4.x. For database support, also either iodbc or unixodbc have to be installed. - Solaris SPARC - tested versions are Solaris 2.7, 8 and 9. For database support, also either iodbc or unixodbc have to be installed - Windows NT/2000/XP - tested versions are currently only Windows 2000 INSTALLATION Beginning with v1.11, fw1-loggrabber includes a very basic installer script for Linux and Solaris distributions as well as a self-extracting installer for the Windows distribution. If you want to use the installer script INSTALL.sh, you should first modify the PATH-settings in INSTALL.sh according to your environment. On default, the script installs fw1-loggrabber to /usr/local/fw1-loggrabber. The install script also prompts you for adding two environment variables to your shell configuration file which will be explained in the following section. ENVIRONMENT VARIABLES fw1-loggrabber makes use of two environment variables, which should be defined in the shell configuration file: - LOGGRABBER_CONFIG_PATH - this variable defines a directory where fw1- loggrabber searches its configuration files (fw1-loggrabber.conf, lea.conf). If this variable is not defined, fw1-loggrabber looks in the current directory for these configuration files. - LOGGRABBER_TEMP_PATH - this variable defines a directory where fw1- loggrabber stores temporary files. If this variable is not defined, fw1-loggrabber stores these files in the current directory.

3 OPTIONS In the following lines, all available command line options are described in detail. Most of the options can also be configured using the configuration file fw1-loggrabber.conf (see --configfile option to use a different configuration file). The precedence of given options is as follows: commandline, configuration file, default value. E.g. if you set the resolve-mode to be used in the configuration file, this can be overwritten by commandline option --noresolve. Only if an option isn't set neither on commandline nor in the configuration file, the default value will be used. -p <portnumber>, --port <portnumber> [OBSOLETE] -s <servername>, --server <servername> [OBSOLETE] -f <logfilename pattern ALL>, --logfile <logfilename pattern> With these parameters, the name of the FW-1 logfile to be read, can be specified. This can be either done exactly or using only a part of the filename. If no exact match can be found in the list of logfiles returned by the FW-1 management station, all logfiles which contain the specified string are processed. A special case is the usage of ALL instead of a logfile name or pattern. In that case all logfiles that are available on the management station, will be processed. If this parameter is omitted, only the default logfile fw.log will be processed. E.g. --logfile _ log --logfile The first example display the logfile _ log, the second one processes all logfiles which contain in their filename. -c <configfilename>, --configfile <configfilename> These options allow to specify a non-default configuration file, in which most of the commandline options can be configured as well as other options, which are not available as commandline parameters. If this parameter is omitted, the file fw1-loggrabber.conf in the current directory will be used. See below for a description of all available configuration file options. -l <leaconfigfilename>, --leaconfigfile <leaconfigfilename> Using one of these options, it's possible to use a non-default LEA configuration file. In this file, all connection parameters such as FW-1 server, port, authentication method as well as sic names have to be configured. That's the usual configuration procedure for OPSEC applications. If this parameter is omitted, the file lea.conf in the current directory will be used. See below for a description of all available LEA configuration file options.

4 --resolve Using the --resolve option, IP addresses will be resolved to names using FW-1 name resolving behaviour. This resolving mechanism will not cause the machine running fw1- loggrabber to initiate DNS requests, but the name resolution will be done directly on the FW-1 machine. Enabled name resolution is also the default behaviour of fw1- loggrabber. --noresolve In contrast to --resolve, the option --no-resolve will cause IP addresses to be displayed in log output instead of names. --showfiles The option --showfiles can be used to simply show the available logfiles on the FW-1 management station. After the names of the logfiles have been displayed, fw1- loggrabber quits. --showlogs The default behaviour of fw1-loggrabber is to display the content of the logfiles and not just their names. This can be explicitely specified using the --showlogs option. --auth [OBSOLETE] --no-auth [OBSOLETE] The option has to be used if you want to connect to CP FW (2000) firewalls. You have to consider, that some options are not available for non-ng firewalls. These include --auth, --showfiles, --auditlog and some other options. --ng The default FW-1 version, for which this tool is being developed, is CP FW (NG), which is the default version, is no version is explicitely specified. --online Using online mode, fw1-loggrabber starts output of logging data at the end of the specified logfile (or fw.log if no logfilename has been specified). All future log entries will be displayed. If you use --logfile to specify another logfile to be processed, you have to consider that no data will be shown, if the file isn't active anymore. This mode is mainly used for continuously processing FW-1 log data and continues to display log entries also after scheduled and manual log switches. --no-online In contrast to online mode, fw1-loggrabber quits after having displayed the last log entry, when running in offline mode. This is the default behaviour and is mainly used for analysis of historic log data. --auditlog Using the audit mode, content of the audit logfile (fw.adtlog) can be displayed. This includes administrator actions and uses different fields than normal log data. --normallog

5 The default mode of fw1-loggrabber processes normal FW-1 logfiles. In contrast to the - -auditlog option, no admistration actions are displayed in this mode, but all regular log data. --filter ``<filterexpression1>[;<filterexpression2>]'' Using one or multiple --filter options, you are able to filter log entries in order to see only entries which match your filter rules. You can specify multiple filter rules using multiple --filter options. All filter rules are related by OR, i.e. if you specify multiple rules, a log entry will be displayed if one of the rules matches. Within one filter rule, you can specify multiple arguments. All of these arguments are related by AND, i.e. a single filter rule only matches a given log entry if the log entry is matched by all arguments. A more detailed description of filter rules you can find below in a separate chapter about filtering which also provides various examples. --fields ``<field1>[;<field2>]'' The --fields option can be used to display only a given set of fields instead of displaying all available fields. The order of the fields being displayed is the same as specified within the --fields option. E.g. --fields "loc;src;dst" You can display the currently supported fields with the --help-fields option. If you are missing some fields, please run fw1-loggrabber with --debug-level 1 and check for debug output containing "Unsupported field found: fieldname=fieldvalue". If you send me these lines I will implement the missing fields in the next release. --fieldnames Using the --fieldnames option the name of each field will be prepended to each value in each line of fw1-loggrabber output. E.g. loc=42 src= dst= nofieldnames In contrast to the --fieldnames option, the usage of this option will cause fieldnames to be displayed in the first line of output only. All the following output lines contain only the fieldvalues separated by ' ' or by a user defined separator. E.g. loc src dst create-tables This option just creates the fw1-loggrabber tables in the database referenced by configuration file parameter ODBC_DSN. If one or more of the tables already exist, fw1- loggrabber prompts for dropping and recreating the tables. fw1-loggrabber only creates tables and no additional indexes on certain columns. If you need these, please create the indexes by yourself using your DBMS management software. At the moment, the following DBMS are supported and tested: MySQL (v4.0), PostgreSQL (v7.3), IBM DB2 (v8.1), Oracle (v8) and MS SQL Server (v2000). If you can verify fw1-loggrabber to be working with other versions of these DBMS, please tell me about this.

6 --debuglevel <0-3> Sets the debuglevel to the specified value. A debuglevel of 0 means no output of debug informations. Further debuglevels will cause output of program specific as well as OPSEC specific debug informations. --help Use --help to display basic help and usage information. For further help, please refer to the man page. --help-fields This option just displays all fieldnames which are currently supported by fw1- loggrabber for both normal logfiles and audit logfiles. LEA CONFIGURATION FILE Starting with version 1.11, fw1-loggrabber uses the default connection configuration procedure for OPSEC applications. This includes server, port and authentication settings. From now on, all this parameters can only be configured using the configuration file lea.conf (see --leaconfigfile option to use a different LEA configuration file) and not using the command-line as before. lea_server ip <IP address> This parameter specifies the IP address of the FW1 management station, to which fw1- loggrabber should connect to. lea_server port <port number> The port on the FW1 management station, to which fw1-loggrabber should connect to, can be specified using this option. If you want to use authenticated connections to your firewall, you have to use lea_server auth_port instead. lea_server auth_port <port number> In contrast to the previous option, this one has to be used for specifying the port to be used for authenticated connection to your FW1 management station. lea_server auth_type <authentication mechanism> If you want to use authenticated connections to your FW1 management station, you can use this parameter to specify the authentication mechnismn to be used. If this parameter is omitted, fw1-loggrabber defaults to sslca. Supported values in this field are: sslca, sslca_clear, sslca_comp, sslca_rc4, sslca_rc4_comp, asym_sslca, asym_sslca_comp, asym_sslca_rc4, asym_sslca_rc4_comp, ssl, ssl_opsec, ssl_clear, ssl_clear_opsec, fwn1 and auth_opsec. opsec_sslca_file <p12-file> When using authenticated connections, this parameter has to be used in order to specify the location of the PKCS#12 certificate. opsec_sic_name <SIC name of LEA-client> This parameter is also only necessary when using authenticated connections. In that case the SIC name of the LEA-client has to be specified using this parameter. lea_server opsec_entity_sic_name <SIC name of LEA-server> Similar to opsec_sic_name you have to specify the SIC name of your FW1 management station using this parameter when using authenticated connections..

7 CONFIGURATION FILE This paragraph deals with the options that can be set within the configuration file. The default configuration file is fw1-loggrabber.conf which should be in the current directory. (see -- configfile option to use a different configuration file). The precedence of given options is as follows: commandline, configuration file, default value. E.g. if you set the resolve-mode to be used in the configuration file, this can be overwritten by commandline option --noresolve. Only if an option isn't set neither on commandline nor in the configuration file, the default value will be used. DEBUG_LEVEL=<0-3> Sets the debuglevel to the specified value. A debuglevel of 0 means no output of debug informations. Further debuglevels will cause output of program specific as well as OPSEC specific debug informations. This parameter can be overwritten by --debug-level command-line option. FW1_SERVER=<IP address of FW1-Management Station> [OBSOLETE] FW1_PORT=<Port number for LEA connections> [OBSOLETE] FW1_LOGFILE=<Name of FW1-Logfilename> With this parameter, the name of the FW-1 logfile to be read, can be specified. This can be either done exactly or using only a part of the filename. If no exact match can be found in the list of logfiles returned by the FW-1 management station, all logfiles which contain the specified string are processed. If this parameter is omitted, the default logfile fw.log will be processed. The correspondent command-line parameter is --logfile. FW1_OUTPUT=<files logs> This parameter simply specifies whether fw1-loggrabber should only display the available logfiles (files) on the FW-1 server or display the content of the logfiles (logs). The correspondent command-line parameters are --showfiles and --showlogs. FW1_TYPE=<ng 2000> Using this parameter you can choose to which version of FW-1 to connect to. For Checkpoint FW (NG) you have to specify NG and for Checkpoint FW (2000) you have to specify The correspondent command-line parameters are and -- ng. FW1_MODE=<audit normal> This parameter enables you to specify whether to display audit logs which contain administrative actions of normal security logs, which contain data about dropped and accepted connections. The correspondent command-line parameters are --auditlog and -- normallog. ONLINE_MODE=<yes no> Using online mode, fw1-loggrabber starts output of logging data at the end of the specified logfile (or fw.log if no logfilename has been specified). All future log entries will be displayed. If you use --logfile to specify another logfile to be processed, you have

8 to consider that no data will be shown, if the file isn't active anymore. This mode is mainly used for continuously processing FW-1 log data. If you disable online mode, fw1- loggrabber quits after having displayed the last log entry. This is the default behaviour and is mainly used for analysis of historic log data. The correspondent command-line parameters are --online and --no-online. RESOLVE_MODE=<yes no> With this option, IP addresses will be resolved to names using FW-1 name resolving behaviour. This resolving mechanism will not cause the machine running fw1- loggrabber to initiate DNS requests, but the name resolution will be done directly on the FW-1 machine. Enabled name resolution is also the default behaviour of fw1- loggrabber. If you disable resolving mode this will cause IP addresses to be displayed in log output instead of names. The correspondent command-line parameters are --resolve and --no-resolve. SHOW_FIELDNAMES=<yes no> Using this option can be chosen, whether the name of each field should be displayed i in each line of log output (YES) of just in the first line of output. The correspondent command-line parameters are --fieldnames and --nofieldnames. RECORD_SEPARATOR=<char> This parameter can be used to change the default record separator ( ) into another character. If you choose a character which is contained in some log data, the occurrence within the logdata will be escaped by a backslash. DATEFORMAT=<CP UNIX STD> Using the DATEFORMAT option, you can choose between three different date formats for output of date fields. The value CP provides the standard Checkpoing date format ( 3Feb :15:16). Using the values UNIX or STD you can change this into standard Unix time format ( ) or into a standardized human-readable format ( :15:16). LOGGING_CONFIGURATION=<screen file syslog odbc> The LOGGING_CONFIGURATION parameter can be used for redirection of logging output to other destinations than the default destination STDOUT, i.e. screen. Currently it's possible to redirect output to a file or to syslog daemon (Unix only). Using the parametes OUTPUT_FILE_PREFIX and OUTPUT_FILE_ROTATESIZE, you can specify more details, if you choose to redirect the output to a file. If you have chosen ODBC, you have to specify the DSN in the parameter ODBC_DSN. OUTPUT_FILE_PREFIX=<prefix of output file> This parameter can be used to define a prefix for the output filename. Eventually the output file will get the suffix.log respectively a datestamp when it gets rotated. The default value for this prefix is simply fw1-loggrabber. This parameter will only be used if LOGGING_CONFIGURATION is set to file. OUTPUT_FILE_ROTATESIZE=<rotatesize in bytes> Using this parameter you can specify the maximum size of the output files, before they will be rotated. If the size of the output file exceeds the given value, the logfile will be rotated to <OUTPUT_FILE_PREFIX>-YYYY-MM-DD-hhmmss[-x].log. The default value is bytes, which equals 1 megabyte. It should be obvious that this parameter will only be used if LOGGING_CONFIGURATION is set to file. ODBC_DSN=<ODBC Database DSN>

9 This parameter has to be used to specify the ODBC-DSN of your database. The DSN will only be used when LOGGING_CONFIGURATION is set to ODBC. SYSLOG_FACILITY=<USER LOCAL0... LOCAL7> This parameter can be used to set the syslog facility to be used (Unix only). Obviously this is only effective when running fw1-loggrabber with LOGGING_CONFIGURATION=SYSLOG. FW1_FILTER_RULE=``<filterexpression1>[;<filterexpression2>]'' When using this option in the configuration file, you can define filters for normal logmode in the configuration file instead of a commandline option. You can specify multiple filter rules using multiple FW1_FILTER_RULE lines. All filter rules are related by OR, i.e. if you specify multiple rules, a log entry will be displayed if one of the rules matches. Within one filter rule, you can specify multiple arguments. All of these arguments are related by AND, i.e. a single filter rule only matches a given log entry if the log entry is matched by all arguments. A more detailed description of filter rules you can find below in a separate chapter about filtering which also provides various examples. AUDIT_FILTER_RULE=``<filterexpression1>[;<filterexpression2>]'' In contrast to FW1_FILTER_RULE, AUDIT_FILTER_RULE allows definitions of filters for auditlog-mode within the configuration file. FIELDS=``<field1>[;<field2>]'' The FIELDS configuration file option can be used to display only a given set of fields instead of displaying all available fields. The order of the fields being displayed is the same as specified within the FIELDS option. E.g. FIELDS="loc;src;dst" If there are more than one FIELDS-lines in the configuration file or unknown fieldnames are used in the FIELDS-line, fw1-loggrabber will abort with an error message. You can display the currently supported fields with the --help-fields option. If you are missing some fields, please run fw1-loggrabber with --debug-level 1 and check for debug output containing "Unsupported field found: fieldname=fieldvalue". If you send me these lines I will implement the missing fields in the next release. AUTHENTICATED=<yes no> [OBSOLETE] AUTHENTICATION_TYPE=<authtype value> [OBSOLETE] OPSEC_CERTIFICATE=<Path and Name of Opsec Certificate> [OBSOLETE] OPSEC_CLIENT_DN=<DN of Opsec-Client> [OBSOLETE]

10 OPSEC_SERVER_DN=<DN of Opsec-Server> [OBSOLETE] CONFIGURE FW-1 For both authenticated and unauthenticated connections of fw1-loggrabber to FW-1 servers there is the need for additional configuration on both the FW-1 side and the fw1-loggrabber side. This section describes the necessary steps to successfully establish a connection. Unauthenticated connections to FW or NG Configuration of FW-1 server: - modify $FWDIR/conf/fwopsec.conf and define the port to be used for unauthenticated lea connections (e.g ): lea_server port lea server auth_port 0 - bounce FW-1 in order to activate changes [4.1] fwstop ; fwstart [NG] cpstop ; cpstart Configuration of FW-1 policy: - add a rule to the policy to allow the port defined above from the fw1-loggrabber machine to the FW-1 management server. - install the policy Configuration of fw1-loggrabber: - modify lea.conf and define the ip address of your FW1 management station (e.g ) and port (e.g ) for unauthenticated lea connections: lea_server ip lea server port Authenticated connections to FW Configuration of FW-1 server:

11 - modify $FWDIR/conf/fwopsec.conf and define the port to be used for authenticated lea connections (e.g ): lea_server port 0 lea server auth_port lea server auth_type auth_opsec - bounce FW-1 in order to activate changes [4.1] fwstop ; fwstart - set a password (e.g. abc123) for the LEA client (e.g ) [4.1] fw putkey -opsec -p abc Configuration of FW-1 policy: - add a rule to the policy to allow the port defined above from the fw1-loggrabber machine to the FW-1 management server. - install the policy Configuration of fw1-loggrabber: - modify lea.conf and define the ip address of your FW1 management station (e.g ) as well as port (e.g ) and authentication type for authenticated lea connections: lea_server ip lea_server auth_port lea_server auth_type auth_opsec - set password for the connection to the LEA server. The password has to be the same as specified on the LEA server. opsec_putkey -p abc Authenticated connections to FW-1 NG using ssl_opsec Configuration of FW-1 server: - modify $FWDIR/conf/fwopsec.conf and define the port to be used for authenticated lea connections (e.g ): lea_server port 0 lea server auth_port lea server auth_type ssl_opsec

12 - bounce FW-1 in order to activate changes [NG] cpstop ; cpstart - set a password (e.g. abc123) for the LEA client (e.g ) [NG] fw putkey -ssl -p abc Configuration of FW-1 policy: - create a new Opsec Application Object with the following details: - Name: e.g. myleaclient - Vendor: User Defined - Server Entities: None - Client Entities: LEA - initialize Secure Internal Communication (SIC) for recently created Opsec Application Object and enter (and remember) the activation key (e.g. def456) - write down the DN of the recently created Opsec Application Object. This is your Client Distinguished Name, which you need later on. - open the object of your FW-1 management server and write down the DN of that object. This is the Server Distinguished Name, which you will need later on. - add a rule to the policy to allow the port defined above as well as port 18210/tcp (FW1_ica_pull) in order to allow pulling of PKCS#12 certificate from the fw1- loggrabber machine to the FW-1 management server. The port 18210/tcp can be shut down after the communication between fw1-loggrabber and the FW-1 management server has been established successfully. - install the policy Configuration of fw1-loggrabber: - modify lea.conf and define the ip address of your FW1 management station (e.g ) as well as port (e.g ), authentication type and SIC names for authenticated lea connections. The SIC names you can get from the object properties of your LEA client object respectively the Management Station object (see above for details about Client DN and Server DN). lea_server ip lea_server auth_port lea_server auth_type ssl_opsec opsec_sslca_file opsec.p12

13 opsec_sic_name "CN=myleaclient,O=cpmodule..gysidy" lea_server opsec_entity_sic_name "cn=cp_mgmt,o=cpmodule..gysidy" - set password for the connection to the LEA server. The password has to be the same as specified on the LEA server. opsec_putkey -ssl -p abc get the tool opsec_pull_cert either from opsec-tools.tar.gz from the project home page or directly from the OPSEC SDK. This tool is needed to establish the Secure Internal Communication (SIC) between fw1-loggrabber and the FW-1 management server. - get the clients certificate from the management station (e.g ). The activation key has to be the same as specified before in the firewall policy. opsec_pull_cert -h n myleaclient -p def456 Authenticated connections to FW-1 NG using sslca Configuration of FW-1 server: - modify $FWDIR/conf/fwopsec.conf and define the port to be used for authenticated lea connections (e.g ): lea_server port 0 lea server auth_port lea server auth_type sslca - bounce FW-1 in order to activate changes [NG] cpstop ; cpstart Configuration of FW-1 policy: - create a new Opsec Application Object with the following details: - Name: e.g. myleaclient - Vendor: User Defined - Server Entities: None - Client Entities: LEA - initialize Secure Internal Communication (SIC) for recently created Opsec Application Object and enter (and remember) the activation key (e.g. def456) - write down the DN of the recently created Opsec Application Object. This is your Client Distinguished Name, which you need later on.

14 - open the object of your FW-1 management server and write down the DN of that object. This is the Server Distinguished Name, which you will need later on. - add a rule to the policy to allow the port defined above as well as port 18210/tcp (FW1_ica_pull) in order to allow pulling of PKCS#12 certificate from the fw1- loggrabber machine to the FW-1 management server. The port 18210/tcp can be shut down after the communication between fw1-loggrabber and the FW-1 management server has been established successfully. - install the policy Configuration of fw1-loggrabber: - modify lea.conf and define the ip address of your FW1 management station (e.g ) as well as port (e.g ), authentication type and SIC names for authenticated lea connections. The SIC names you can get from the object properties of your LEA client object respectively the Management Station object (see above for details about Client DN and Server DN). lea_server ip lea_server auth_port lea_server auth_type sslca opsec_sslca_file opsec.p12 opsec_sic_name "CN=myleaclient,O=cpmodule..gysidy" lea_server opsec_entity_sic_name "cn=cp_mgmt,o=cpmodule..gysidy" - get the tool opsec_pull_cert either from opsec-tools.tar.gz from the project home page or directly from the OPSEC SDK. This tool is needed to establish the Secure Internal Communication (SIC) between fw1-loggrabber and the FW-1 management server. - get the clients certificate from the management station (e.g ). The activation key has to be the same as specified before in the firewall policy. After that copy the resulting PKCS#12 file (default: opsec.p12) to your fw1-loggrabber directory. opsec_pull_cert -h n myleaclient -p def456 FILTERING Filter rules provide the possibility to display only log entries that match a given set of rules. There can be specified one or more filter rules using one or multiple --filter arguments on the command line. All individual filter rules are related by OR. That means a log entry will be displayed if at least one of the filter rules matches. Within one filter rule, there can be specified multiple arguments. All these arguments are related by AND. That means a filter rule matches a given log entry only, if all of the filter arguments match. Supported filter arguments in normal mode

15 - action=<ctl accept drop reject encrypt decrypt keyinst> - dst=<ip address> - endtime=<yyyymmddhhmmss> - orig=<ip address> - product=<vpn-1 & FireWall-1 SmartDefense> - proto=<icmp tcp udp> - rule=<rulenumber startrule-endrule> - service=<portnumber startport-endport> - src=<ip address> - starttime=<yyyymmddhhmmss> Supported filter arguments in audit mode - action=<ctl accept drop reject encrypt decrypt keyinst> - administrator=<string> - endtime=<yyyymmddhhmmss> - orig=<ip address> - product=<smartdashboard Policy Editor SmartView Tracker SmartView Status SmartView Monitor System Monitor cpstat_monitor SmartUpdate CPMI Client> - starttime=<yyyymmddhhmmss> Negation of arguments If you specify '!=' instead of '=' between name and value of the filter argument, you can negate the name/value pair. Specifying multiple argument values You can specify multiple argument values by separating the values by ','. Specifying IP addresses as argument values For arguments that expect IP addresses, you can specify either a single IP address, multiple IP addresses separated by ',' or a network address with netmask (e.g / ). Currently it's not possible to specify a network address and a single IP address within the same filter argument. Specifying multiple filter arguments Each filter rule can exist of multiple filter arguments which have to be separated by ';'. Examples 1) display all dropped connections --filter "action=drop" 2) display all dropped and rejected connections --filter "action=drop,reject" --filter "action!=accept" 3) display all log entries generated by rules 20 to 23 --filter "rule=20,21,22,23" --filter "rule=20-23"

16 4) display all log entries generated by rules 20 to 23, 30 or 40 to 42 --filter "rule=20-23,30,40-42" 5) display all log entries to and filter "dst= , " 6) display all log entries from / filter "src= / " 7) display all log entries starting from 2004/03/02 14:00:00 --filter "starttime= " FILES fw1-loggrabber.conf FW1-Loggrabber configuration file lea.conf LEA configuration file AUTHOR Torsten Fellhauer <torsten at fellhauer dash web dot de> BUGS Please report bugs using the bug report functionality on the projects website:

17 COPYRIGHT Copyright (c) Torsten Fellhauer, Xiaodong Lin Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. CREDITS Stefan Siebert for making the start of this project possible. Xiaodong Lin with his excellent Opsec skills for helping me in further development of fw1-loggrabber. This document was created by man2html, using the manual pages. Time: 22:22:05 GMT, February 20, 2005