search

certego / fw1-loggrabber

FW1-Loggrabber is a command-line tool to grab logfiles from remote Checkpoint devices using OPSEC LEA (Log Export API)
GNU General Public License v2.0
53 stars 35 forks source link

loc field missing #7

Closed sumanar closed 8 years ago

sumanar commented 8 years ago

I miss the previously picked 'loc' field in v2 of fw1-loggrabber. For e.g.: This is log grabbed by fw1-loggrabber-v1: loc=1234567|time=2015-12-07 05:08:08|orig=127.0.0.1|i/f_dir=inbound|has_accounting=0|uuid=<00000000,00000000,00000000,00000000>|product=Syslog

This is log grabbed by fw1-loggrabber-v2: time=2015-12-07 05:08:08|orig=127.0.0.1|i/f_dir=inbound|has_accounting=0|uuid=<00000000,00000000,00000000,00000000>|product=Syslog

The Number field i.e. 'loc' field is no more grabbed. This is making me difficult to search logs. Can we have a fix for this?

Thank you for your time.

adepasquale commented 8 years ago

@sumanar what is the content of the loc field?

sumanar commented 8 years ago

@adepasquale According to code in fw1-loggrabber-v.1: the loc header field value = lea_get_record_pos (pSession) - 1 The FIELDS on fw1-loggrabber.conf too understood loc field. Please let me know if fw1-loggrabber team decides to generate this field. Thank you.

adepasquale commented 8 years ago

Unfortunately I cannot find that field in the most up-to-date documentation. I will need to further investigate the v1 source code.

adepasquale commented 8 years ago

@sumanar is loc simply an incremental counter, i.e. the position of the record in the log file?

sumanar commented 8 years ago

loc field is a return value from lea_get_record_pos method of opsec. /*Retuns the number of the next log record*/ DLLIMP int lea_get_record_pos(OpsecSession *session);

According to OPSEC SDK 6.0 Documentation for LEA, this is

the ordinal number of the next log record to be read in the current log file.

P.S.: I hope it is okay if i customize fw1-loggrabber for my purpose and add this field for myself. (If we do not need this field on fw1-loggrabber)

Thank you.

adepasquale commented 8 years ago

I hope it is okay if i customize fw1-loggrabber for my purpose and add this field for myself. (If we do not need this field on fw1-loggrabber)

Sure it is, feel free to make a pull request.

ghost commented 8 years ago

is this currently implemented?

adepasquale commented 8 years ago

I don't think so, let's ask @sumanar for any news.

sumanar commented 8 years ago

No. This is not added to new fw1loggraber.

sumanar commented 8 years ago

@adepasquale I have added code to fetch 'loc' field on fw1-loggrabber.c file. Please create a branch for me so that i can commit my changes on that branch (and send you a pull request too).

adepasquale commented 8 years ago

Thanks! Just create your fork with a custom branch and submit a pull request from there :smile: