Difference between revisions of "fw audit log parsing via CLI"

From cpwiki.net
Jump to: navigation, search
Check Point Profressional Services
(Created page with "Log entries and field changes are separated by semicolons in the fw.adtlog file. It is very difficult to read, even with the smartview tracker. The command line below run o...")
 
 
Line 3: Line 3:
  
 
parse
 
parse
  fw log -ln -s "Aug 19,2013 21:45:00" -e "Aug 20,2013 23:59:00" fw.adtlog | awk -F ";" '{for (i=1; i<=NF; i++) printf $i "\n"}'
+
  # fw log -ln -s "Aug 19,2013 21:45:00" -e "Aug 20,2013 23:59:00" fw.adtlog | awk -F ";" '{for (i=1; i<=NF; i++) printf $i "\n"}'
 +
 
 +
example output...
  
 
  19Aug2013 21:53:01 accept 192.168.1.1 <    ObjectName: test_group_object
 
  19Aug2013 21:53:01 accept 192.168.1.1 <    ObjectName: test_group_object

Latest revision as of 14:14, 21 August 2013

Log entries and field changes are separated by semicolons in the fw.adtlog file. It is very difficult to read, even with the smartview tracker. The command line below run on the SmartCenter or from a CMA environment will output the log file in an easy to read format to terminal.

parse

# fw log -ln -s "Aug 19,2013 21:45:00" -e "Aug 20,2013 23:59:00" fw.adtlog | awk -F ";" '{for (i=1; i<=NF; i++) printf $i "\n"}'

example output...

19Aug2013 21:53:01 accept 192.168.1.1 <    ObjectName: test_group_object
 ObjectType: network_object_group
 ObjectTable: network_objects
 Operation: Modify Object
 Uid: {F7F0772C-0917-11E3-8A4F-ABB20701CFCF}
 Administrator: jsmith
 Machine: lab-mds
 FieldsChanges: test_group_object: added 'test_client'