Hi,
For the last 5 years logs have been archived from the Firewall.
Yesterday, the logs were analysed the first line of each CSV was read
and the file was analysed to find the maximum size of each field.
According to the results of 10,000 csv logs, there were 9571 record
formats. Has Checkpoint ever published details of csv output format?
earliest format and field sizes (prefixed fw)
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;s_port;len;rule;xlatesrc;xlatedst;xlatesport;xlatedport;agent;orig_from;orig_to;from;to;reason;icmp-type;icmp-code;reason:;srckeyid;dstkeyid;scheme:;methods:;h_len;ip_vers;message;error
notification:;IKE Log:;Negotiation Id:;user;res_action;resource;sys_msgs
fwnum:5;fwdate:9;fwtime:8;fworig:13;fwtype:3;fwaction:6;fwalert:8;fwifname:4;fwifdir:8;fwproto:3;fwsrc:13;fwdst:11;fwservice:10;
fwsport:5;fwlen:2;fwrule:1;fwxlatesrc:12;fwxlatedst:13;fwxlatesport:5;fwxlatedport:3;fwagent:13;fworigfrom:86;fworigto:44;fwfrom:86;
fwto:44;fwreason:83;fwicmptype:1;fwicmpcode:1;fwreason1:30;fwsrckeyid:10;fwdstkeyid:10;fwscheme:3;fwmethods:33;fwhlen:2;fwipvers:1;
fwmessage:42;fwerrornotification:10;fwikelog:38;fwnegotiationid:16;fwuser:9;fwresaction:11;fwresource:30;fwsysmsgs:0
latest format and field sizes (prefixed fw)
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;log_sys_message;rule;rule_uid;rule_name;service_id;src;dst;proto;xlatesrc;xlatedst;NAT_rulenum;NAT_addtnl_rulenum;service;s_port;xlatedport;xlatesport;scheme:;methods:;peer
gateway;encryption
failure:;partner;community;fw_subproduct;vpn_feature_name;ICMP;ICMP
Type;ICMP Code;message_info;msg;TCP packet out of
state;tcp_flags;vpn_user;srckeyid;dstkeyid;IKE:;CookieI;CookieR;msgid;IKE
notification:;Certificate DN:;IKE
IDs:;user;reason:;Session:;L2TP:;PPP:;MAC:;OM:;om_method:;assigned_IP:;machine:;PS;Attack
Info;attack;DCE-RPC Interface UUID;Total logs;Suppressed logs;VPN
internal source IP;start_time;elapsed
fwnum:5;fwdate:9;fwtime:8;fworig:13;fwtype:3;fwaction:6;fwalert:5;fwifname:3;fwifdir:7;fwproduct:18;fwlogsysmessage:60;fwrule:2;
fwruleuid:38;fwrulename:0;fwserviceid:4;fwsrc:12;fwdst:13;fwproto:3;fwxlatesrc:13;fwxlatedst:13;fwnatrulenum:2;fwnataddtnlrulenum:1;
fwservice:4;fwsport:4;fwxlatedport:10;fwxlatesport:5;fwscheme:3;fwmethods:29;fwpeergateway:13;fwencryptionfailure:52;fwpartner:0;
fwcommunity:10;fwfwsubproduct:5;fwvpnfeaturename:3;fwicmp:12;fwicmptype:1;fwicmpcode:1;fwmessageinfo:12;fwmsg:225;
fwtcppacketoutofstate:22;fwtcpflags:3;fwvpnuser:0;fwsrckeyid:10;fwdstkeyid:10;fwike:21;fwcookiei:16;fwcookier:16;fwmsgid:8;
fwikenotification:0;fwcertificatedn:0;fwikeids:52;fwuser:9;fwreason:89;fwsession:0;fwl2tp:0;fwppp:0;fwmac:17;fwom:66;fwommethod:8;
fwassignedip:10;fwmachine:0;fwps:42;fwattackinfo:41;fwattack:29;fwdcerpcinterfaceuuid:36;fwtotallogs:1;fwsuppressedlogs:1;
fwvpninternalsourceip:10;fwstarttime:18;fwelapsed:10
--
Regards
Russell
Email: russell dot aspinwall at flomerics dot co dot uk
Network and Systems Administrator Flomerics Ltd
Telephone: 020-8941-8810 x3116 81 Bridge Road
Facsimile: 020-8941-8730 Hampton Court
Surrey, KT8 9HH
United Kingdom
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Flomerics Group plc, Registered Office 81 Bridge Road, Hampton Court, Surrey,
KT8 9HH. Registered No. 2327348. This e-mail is confidential and intended
solely for the use of the individual to whom it is addressed. Any views or
opinions presented are solely those of the author and do not necessarily
represent those of Flomerics Group plc or its subsidiaries. If you are not the
intended recipient of this e-mail you may not copy, use, forward or disclose
its contents to any other person ; please notify our Computer Service Desk on
+44 (0)20 8487 3000 and destroy and delete the message and attachments from
your system.
For more information on Flomerics visit our web site at www.flomerics.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
