FireWall-1 FAQ: Logging to Syslog
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
To log specific events to syslog, I use 'User-Defined' logging for this. My user-defined program (defined in the Rulebase Properties, Logging and Alerting tab) is
/usr/ucb/logger -p daemon.notice. The path to the 'logger' utility will vary on OS.
Another alternative is to log everything to syslog. You can do this with the command:
$FWDIR/bin/fw log -f 2>>/var/adm/fw-log.log | /bin/logger -p local5.info > /dev/null 2>&1 &
This command runs in the background and logs everything to syslog. Note that it might be best to put this into a boot script after FireWall-1 loads so that everything is dumped to syslog.
In Windows, you can ues WSH (verified with version 5.6). If needed, you can get at: msdn.microsoft.com/scripting.
The script is:
Set objShell = CreateObject?("WScript.Shell") Set objWshScriptExec = objShell.Exec("fw log -ft -l -n") Set objStdOut = objWshScriptExec.StdOut While Not objStdOut.AtEndOfStream strLine = objStdOut.ReadLine If InStr?(strLine,"drop") Then ObjShell?.Run "c:klogklog -h 10.0.0.1 -L Alert -F User -m """ & strLine & """", 0, false End If Wend
The idea is to run the "fw log" command from within the script, so it can send the StdOut? to a variable (strLine).
Now, you will need Kiwi Logger (KLog), a console-mode utility that send text messages to a syslog daemon. Get it at: http://www.kiwisyslog.com/products.htm
You will use the variable strLine as the message (-m) option in KLog. All you have to do now is save this script as "anything.vbs" in the FW /bin folder and call it like this:
As you can see from the script, you will be able to filter any kind of text before sending it to the Syslog. In the case above, only dropped packets will be sent. The - ObjShell.Run "command", 0, false - avoids the zillion klog shell windows that would be opened otherwise. The performance of it doesn´t seem to affect the processor.