I’ve recently been trying to improve a SOX process for analysing firewall activity, currently based on a manual daily check. As part of that work, I knocked together a quick batch file which can be used for automating the export of logs from Check Point FireWall-1, since by default, the logs generated are not readable as standard ascii text. The logs need to be exported using ‘fwm.exe logexport’, which outputs into a more readable CSV format, allowing you to carry out pre-processing of the data using other tools, such as the excellent fwlogsum.
@ECHO OFF & SETLOCAL ENABLEEXTENSIONS :: "fw1export.cmd" (version 1.0) :: by Andrew G. Allen, http://www.andrewallen.co.uk/ :: This work is licenced under the Creative Commons Attribution 3.0 Unported License. :: To view a copy of this licence, visit: http://creativecommons.org/licenses/by/3.0/ :VARIABLES SET v_SCRIPTDIR=D:\SCRIPTS SET v_WORKINGDIR=%v_SCRIPTDIR%\FW1EXPORT SET v_INPUTDIR=D:\WINNT\FW1\R60\fw1\log SET v_FWM=D:\WINNT\FW1\R60\fw1\bin\v_FWM.exe :END_VARIABLES :: *** NO EDITING REQUIRED PAST THIS POINT *** :: 1 2 3 4 5 6 7 8 :: 45678901234567890123456789012345678901234567890123456789012345678901234567890 :CODE IF NOT EXIST %v_SCRIPTDIR% MD %v_SCRIPTDIR% IF NOT EXIST %v_WORKINGDIR% MD %v_WORKINGDIR% DIR /B %v_INPUTDIR%\2007*.log | FIND /V "ptr" > %v_WORKINGDIR%\FW1EXPORT.TMP FOR /F "TOKENS=1 DELIMS=" %%A IN (%v_WORKINGDIR%\FW1EXPORT.TMP) DO ( IF NOT EXIST %v_WORKINGDIR%\%%A ( %v_FWM% logexport -n -p -i %v_INPUTDIR%\%%A -o %v_WORKINGDIR%\%%A ) ) DEL /Q /F %v_WORKINGDIR%\FW1EXPORT.TMP :END_CODE
You should setup the attached batch as a scheduled task to run once per day, once the logs have rotated.
Audio version of this post available here: Download MP3
Add New Comment
Thanks. Your comment is awaiting approval by a moderator.
Do you already have an account? Log in and claim this comment.
Add New Comment
Trackbacks