fw audit log parsing via CLI

From cpwiki.net
Revision as of 14:14, 21 August 2013 by Nighthawk (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Check Point Profressional Services

Log entries and field changes are separated by semicolons in the fw.adtlog file. It is very difficult to read, even with the smartview tracker. The command line below run on the SmartCenter or from a CMA environment will output the log file in an easy to read format to terminal.

parse

# fw log -ln -s "Aug 19,2013 21:45:00" -e "Aug 20,2013 23:59:00" fw.adtlog | awk -F ";" '{for (i=1; i<=NF; i++) printf $i "\n"}'

example output...

19Aug2013 21:53:01 accept 192.168.1.1 <    ObjectName: test_group_object
 ObjectType: network_object_group
 ObjectTable: network_objects
 Operation: Modify Object
 Uid: {F7F0772C-0917-11E3-8A4F-ABB20701CFCF}
 Administrator: jsmith
 Machine: lab-mds
 FieldsChanges: test_group_object: added 'test_client'