What is it?

Logger is an MS Access 97 database that will query you FW1 logs.  You can easily create and add your own queries once you get the hang of Access.  Its easy to share the "SQL code", so we can share among each other queries we make.  So far I have successfully created only 3 queries.

• WWW - Outbound What are the TOP TEN web sites my company is hitting (good for management)
• WWW - Inbound  What are the TOP TEN IP addresses that are hitting my webserver (good for marketing)
• Drop/Reject - What are the TOP FIVE IP addresses that the FW keeps dropping/rejecting (good for security)

Step one - Convert your fw.log file to an ascii file
You first have to convert the Firewall 1 log file into ascii, so you can import it into the database.  You can do this at the command prompt

fw logexport -i fw.log -o fwlog.txt -n

Note, with the -n parameter you do not resolve IP address, which is MUCH FASTER.  After you logexport the binary log file to ascii, this is what the first line of the ascii file should look like.

num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;s_port;len;rule;icmp-type;icmp-code;user;reason;sys_msgs

If the first line does not look like this, DO NOT PANIC.  Consistency is not a Checkpoint FW1 quality :)   Different people tend to get the fields in a different order.  All you need to do is change the order of the fields in the database table.  Don't worry if you do not know how, you will understand after reading this page..  NOTE:  If you are using NAT, you will have four extra fields in your database, xlatsrc, xlatdest, xlatdst, xlatsport, xlatdport.  You will have to add these four fields to the database table, in the order that they are listed in your ascii file.
 
 
Step two - Massaging the data
Okay, now we have to tweak that data so Access can import it.  Regardless if you are using Unix or NT, you will want to blow away the very first line of the log file.  This is nothing but headers.

Now, just for you Unix users, MS programs use the ^M character as the return character. (If you don't know what I am talking about, you can see the control characters in vi with ":set list").   Thus, Access will not be able to import your Ascii file.  You will need to add the ^M character to the end of every line.  There are several ways to do this.

1. For you hardcore 'vi' types, open the file in 'vi', and do a global search and replace, adding the ^M character at the end.
2. Most flavors of unix (including Solaris) come with a 'unix2dos(1)' utility that does it for you.
• unix2dos [ -ascii ] [ -iso ] [ -7 ] originalfile convertedfile
3. Or for those who prefer the Windows GUI, try the following
• Open the ascii fwlog file file in any editor (Wordpad, Word for Windows, etc.)
• "Select all"  under the edit menu and then copy everything to the clipboard (this may take a while)
• Create a new file, and paste the data in the new file (make sure you are saving this as a TXT Document).
• Save the new file as fwlog.txt - MS has just added the required ^M

• Top ten drops / rejects.
• This query determines the 5 IP addresses that have been dropped / rejected by your Firewall.  Potentially these IP addresses are scanning your network.  Remeber if you are dropping AND logging broadcasts or NetBIOS packets (such as nbtsession) the query will count these.  You can eliminate this by dropping these packets in your rule base, but not logging them.
• To configue this query, just go into the query design, and replace the IP 192.168.1.*  with you network IP address, the "*" represents the broadcast address.  Make sure you keep the quotes.
• WWW Inbound
• This query determines the top ten IP addresses that are hitting your webserver.
• To configure this query, just go into the query design, and replace the IP address 192.168.1.1 with the Valid IP address of your webserver.  Make sure you keep the quotes.
• WWW Oubound
• This query determines the top ten websites (by IP address) that your employees are hitting.
• To configure this query, just go into the query design, and replace the IP address 192.168.1.* with your network IP addres, the "*" represents the broadcast address.  Make sure you keep the quotes.