Firewall's log entries of different vendors

yzTyzT Member Posts: 365 ■■■□□□□□□□
I'm writing a script in which I need to parse firewall's log, but as I only have access to iptables, it's the only one that I have added so far.

So if you have access to, or know the format, CISCO, Juniper, Checkpoint, etc firewalls, can you paste here an entry of the logs? Basically I'm interested in the syntax of source IPs, but if you paste the full entry would be better.

Comments

  • d4nz1gd4nz1g Member Posts: 464
    Hi mate.

    In ASA, the ACL logs are given as a syslog message (code 5 or 6, can't remember).
    I will be checking for the text logs of our checkpoint, and I'll get back here with the format.
  • d4nz1gd4nz1g Member Posts: 464
    "33" "30Jun2015" "6:24:18" "src INTERFACE" "log source-box name" "Log" "Accept" "TCP_3000" "49257" "Host_10.56.2.157" "10.159.60.49" "tcp" " - Rule number -43" "" "Rule number again 43" "" "" "Security Gateway/Management" "" ""
  • yzTyzT Member Posts: 365 ■■■□□□□□□□
    thanks! I understand the source is 10.159.60.49:49257 and the destination is 10.56.2.157:3000. Is it right? Or is it the other way around?
  • d4nz1gd4nz1g Member Posts: 464
    Hi mate

    Actually it is: dst port - sport - source add - dst addr

    just got this log right here: "domain-udp" "58153" "Host_one of our public add" "Host_8.8.8.8"

    In that log, that would be Host_10.56.2.157:49257 to 10.159.60.49:3000
  • UnixGuyUnixGuy Mod Posts: 4,564 Mod
    How about configuring a SIEM to do that?
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Check out my YouTube channel: https://youtu.be/DRJic8vCodE 


  • eSenpaieSenpai Member Posts: 65 ■■□□□□□□□□
    UnixGuy wrote: »
    How about configuring a SIEM to do that?

    Agree with UnixGuy.
    I am curious as to why you are reinventing the wheel here and not exploring the many options already out there.
    Care to expound?
    Working On:
    2018 - ITIL(SO, SS, SD, ST, CSI), Linux
    2019 - ITIL MALC, AWS Architect, CCSP, LPI-2, TOGAF
  • yzTyzT Member Posts: 365 ■■■□□□□□□□
    because I'm not looking for a SIEM solution, I'm writing a script that everyone can use without further installations and configurations
  • eSenpaieSenpai Member Posts: 65 ■■□□□□□□□□
    yzT wrote: »
    because I'm not looking for a SIEM solution, I'm writing a script that everyone can use without further installations and configurations

    Yes, but is that the sum total of your use case? Log scrapping en masse doesn't get you much without real intelligence built into it and we have been through that numerous times in *NIX and even Windows over the years where we go through this exercise only to have the human who must manually react to things that have already happened eventually stop reacting to it or not react to it in a timely manner w/o some sort of escalating intelligence built in which means that you are back to a SIEM like application (or even an IDS) and thus recreating a wheel better served by actual programming vs scripting.

    Stated another way, if you are good enough to script everything required then your time would be much better served by building(programming) a better application...unless you have a particular use case that scripting somehow works better for than the many solutions to log collating, analysis and escalation that already exist for free. Try not to be offended or defensive by any of that, it is genuine interest in what you are doing and why.
    Working On:
    2018 - ITIL(SO, SS, SD, ST, CSI), Linux
    2019 - ITIL MALC, AWS Architect, CCSP, LPI-2, TOGAF
  • yzTyzT Member Posts: 365 ■■■□□□□□□□
    I didn't say what I'm doing, did I? ;)

    You are talking about applying intelligence and you don't even know whether or not I'm doing that already. I only asked for log entries of firewalls system which I don't have access to, and you started building your own conjectures.
  • eSenpaieSenpai Member Posts: 65 ■■□□□□□□□□
    You are saying that I conjectured but in fact I asked first and you responded obliquely. It would have just been better to say "None of your bloody business" or "I can't get into it." vs replying as if you were doing that same thing 1000's of sysadmins have done over the years that eventually falls on deaf ears.

    Meh....because if you doing any of that which I was forced to conjecture on so as to make a point then you are just recreating a wheel that already exists. Thus, without a spectacular use case...I would say your intelligence would be much better spent elsewhere but it's your time to waste.
    Working On:
    2018 - ITIL(SO, SS, SD, ST, CSI), Linux
    2019 - ITIL MALC, AWS Architect, CCSP, LPI-2, TOGAF
Sign In or Register to comment.