Check Point man pages (R75): fw log

From cpwiki.net
Revision as of 16:15, 9 May 2013 by Nighthawk (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Check Point Profressional Services

fw log

Description fw log displays the content of Log files.

Usage fw log [-f [-t]] [-n] [-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime] [-b starttime endtime] [-u unification_scheme_file] [-m unification_mode(initial|semi|raw)] [-a] [-k (alert_name|all)] [-g] [logfile]

Syntax

Argument Description
-f [-t] After reaching the end of the currently displayed file, do

not exit (the default behavior), but continue to monitor the Log file indefinitely and display it while it is being written.

The -t parameter indicates that the display is to begin at the end of the file, in other words, the display will initially be empty and only new records added later will be displayed.

-t must come with a -f flag. These flags are relevant only for active files.

-n Do not perform DNS resolution of the IP addresses in the

Log file (the default behavior). This option significantly speeds up the processing.

-l Display both the date and the time for each log record (the

default is to show the date only once above the relevant records, and then specify the time per log record).

-o Show detailed log chains (all the log segments a log

record consists of).

-c action Display only events whose action is action, that is, accept,

drop, reject, authorize, deauthorize, encrypt and decrypt. Control actions are always displayed.

-h host Display only log whose origin is the specified IP address

or name.

-s starttime Display only events that were logged after the specified

time (see format below). starttime may be a date, a time, or both. If date is omitted, then today's date is assumed.

-e endtime Display only events that were logged before the specified

time (see format below). endtime may be a date, a time, or both.

-b starttime endtime Display only events that were logged between the

specified start and end times (see format below), each of which may be a date, a time, or both. If date is omitted, then today's date is assumed. The start and end times are expected after the flag.

-u Unification scheme file name. unification_scheme_file
-m unification_mode This flag specifies the unification mode.

initial - the default mode, specifying complete

unification of log records; that is, output one unified record for each id. This is the default. When used together with -f, no updates will be displayed, but only entries relating to the start of new connections. To display updates, use the semi parameter. 

semi - step-by-step unification, that is, for each log

record, output a record that unifies this record with all previously-encountered records with the same id. 

raw - output all records, with no unification.
-a Output account log records only.
-k alert_name Display only events that match a specific alert type. The

default is all, for any alert type.

-g Do not use a delimited style. The default is:

: after field name

; after field value
logfile se logfile instead of the default Log file. The default

Log File is $FWDIR/log/fw.log.

Where the full date and time format is: MMM DD, YYYY HH:MM:SS. For example: May 26, 1999 14:20:00

It is possible to specify date only in the format MMM DD, YYYY, or time only, in the format: HH:MM:SS, where time only is specified, the current date is assumed.

Example

fw log
fw log | more
fw log -c reject
fw log -s "May 26, 1999"
fw log -f -s 16:00:00

Output [<date>]

Each output line consists of a single log record, whose fields appear in the format shown above.

Example

14:56:39 reject jam.checkpoint.com >daemon alert src:
veredr.checkpoint.com; dst: jam.checkpoint.com; user: a; rule: 0;
reason: Client Encryption: Access denied - wrong user name or
password ; scheme: IKE; reject_category: Authentication error;
product: Security Gateway
14:57:49 authcrypt jam.checkpoint.com >daemon src:
veredr.checkpoint.com; user: a; rule: 0; reason: Client Encryption:
Authenticated by Internal Password; scheme: IKE; methods: AES-
256,IKE,SHA1; product: Security Gateway;
14:57:49 keyinst jam.checkpoint.com >daemon src:
veredr.checkpoint.com; peer gateway: veredr.checkpoint.com; scheme:
IKE; IKE: Main Mode completion.; CookieI: 32f09ca38aeaf4a3; CookieR:
73b91d59b378958c; msgid: 47ad4a8d; methods: AES-256 + SHA1, Internal
Password; user: a; product: Security Gateway;