Firewall's log entries of different vendors

I'm writing a script in which I need to parse firewall's log, but as I only have access to iptables, it's the only one that I have added so far.

So if you have access to, or know the format, CISCO, Juniper, Checkpoint, etc firewalls, can you paste here an entry of the logs? Basically I'm interested in the syntax of source IPs, but if you paste the full entry would be better.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

d4nz1g

Hi mate.

In ASA, the ACL logs are given as a syslog message (code 5 or 6, can't remember).
I will be checking for the text logs of our checkpoint, and I'll get back here with the format.

d4nz1g

"33" "30Jun2015" "6:24:18" "src INTERFACE" "log source-box name" "Log" "Accept" "TCP_3000" "49257" "Host_10.56.2.157" "10.159.60.49" "tcp" " - Rule number -43" "" "Rule number again 43" "" "" "Security Gateway/Management" "" ""

yzT

thanks! I understand the source is 10.159.60.49:49257 and the destination is 10.56.2.157:3000. Is it right? Or is it the other way around?

d4nz1g

Hi mate

Actually it is: dst port - sport - source add - dst addr

just got this log right here: "domain-udp" "58153" "Host_one of our public add" "Host_8.8.8.8"

In that log, that would be Host_10.56.2.157:49257 to 10.159.60.49:3000

UnixGuy

How about configuring a SIEM to do that?

eSenpai

UnixGuy wrote: »

How about configuring a SIEM to do that?

Agree with UnixGuy.
I am curious as to why you are reinventing the wheel here and not exploring the many options already out there.
Care to expound?

yzT

because I'm not looking for a SIEM solution, I'm writing a script that everyone can use without further installations and configurations

eSenpai

yzT wrote: »

because I'm not looking for a SIEM solution, I'm writing a script that everyone can use without further installations and configurations

Yes, but is that the sum total of your use case? Log scrapping en masse doesn't get you much without real intelligence built into it and we have been through that numerous times in *NIX and even Windows over the years where we go through this exercise only to have the human who must manually react to things that have already happened eventually stop reacting to it or not react to it in a timely manner w/o some sort of escalating intelligence built in which means that you are back to a SIEM like application (or even an IDS) and thus recreating a wheel better served by actual programming vs scripting.

Stated another way, if you are good enough to script everything required then your time would be much better served by building(programming) a better application...unless you have a particular use case that scripting somehow works better for than the many solutions to log collating, analysis and escalation that already exist for free. Try not to be offended or defensive by any of that, it is genuine interest in what you are doing and why.

yzT

I didn't say what I'm doing, did I?

You are talking about applying intelligence and you don't even know whether or not I'm doing that already. I only asked for log entries of firewalls system which I don't have access to, and you started building your own conjectures.

eSenpai

You are saying that I conjectured but in fact I asked first and you responded obliquely. It would have just been better to say "None of your bloody business" or "I can't get into it." vs replying as if you were doing that same thing 1000's of sysadmins have done over the years that eventually falls on deaf ears.

Meh....because if you doing any of that which I was forced to conjecture on so as to make a point then you are just recreating a wheel that already exists. Thus, without a spectacular use case...I would say your intelligence would be much better spent elsewhere but it's your time to waste.