certego / fw1-loggrabber

FW1-Loggrabber is a command-line tool to grab logfiles from remote Checkpoint devices using OPSEC LEA (Log Export API)
GNU General Public License v2.0
52 stars 35 forks source link

Fw1-Loggrabber log storage #22

Closed ThreatHunterDiary closed 7 years ago

ThreatHunterDiary commented 8 years ago

I'm sure this is not an issue but i am new to this and I did not have anywhere to go for this. So, My question is after successfully running the command fw1-loggrabber -c fw1-loggrabber.conf -l lea.conf i am not getting anything on the console. Where would be the logs coming from Checkpoint firewall will be? How they are stored on the system?

I am asking these question because I am planning to forward these logs to Fluentd.

adepasquale commented 8 years ago

Could you please paste the content of your fw1-loggrabber.conf file?

Here is some relevant documentation: https://github.com/certego/fw1-loggrabber/wiki/Configure-and-run-FW1-LogGrabber#fw1-loggrabberconf-file

ThreatHunterDiary commented 8 years ago

Hi @adepasquale,

Output of my fw1-loggrabber.conf file:

> DEBUG_LEVEL="0"
> FW1_LOGFILE="fw.log"
> FW1_OUTPUT="logs"
> FW1_TYPE="ng"
> FW1_MODE="normal"
> ONLINE_MODE="yes"
> RESOLVE_MODE="no"
> RECORD_SEPARATOR="|"
> DATEFORMAT="std"
> LOGGING_CONFIGURATION=screen
> OUTPUT_FILE_PREFIX="fw1-loggrabber"
> OUTPUT_FILE_ROTATESIZE=1048576
> SYSLOG_FACILITY="LOCAL1"

And I have went through your documentation, but couldn't get my head around the all of it. As much I understood I put it in the lea.conf and fw1-loggrabber.conf files.

ThreatHunterDiary commented 8 years ago

Hi @adepasquale

I even tried changing fw1-loggrabber.conf file to:

DEBUG_LEVEL="0" FW1_LOGFILE="fw.log" FW1_OUTPUT="logs" FW1_TYPE="ng" FW1_MODE="normal" ONLINE_MODE="yes" RESOLVE_MODE="no" RECORD_SEPARATOR="|" DATEFORMAT="std" LOGGING_CONFIGURATION=file OUTPUT_FILE_PREFIX="/opt/fw1-loggrabber_files/fw1-loggrabber" OUTPUT_FILE_ROTATESIZE=1048576 SYSLOG_FACILITY="LOCAL1"

still I am not getting anything in there!

Any idea on what could be wrong?

ThreatHunterDiary commented 7 years ago

Hi @adepasquale ,

Got it working.