According to Checkpoint, this is a bug that will be fixed in a future
release. When in the future is anyone's guess.
I load my logs into my database every night and wrote a shell script to deal
with this issue. It is a part of my Oracle load scripts and is available on
Phoneboy's site. The way I do it, the order is not important as I create
the load configuration file from the first line of the export file. This
may or may not help you in your situation.
The bottom line is that you will just have to deal with it yourself for now.
Hope this helps
Jim Edwards
Systems Manager
Texas Secretary of State
-----Original Message-----
From: Sterling, Chuck [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 23, 2000 1:31 PM
To: 'Fw-1-Mailinglist (E-mail)'
Subject: [FW1] log fields switch order in export file (?)
Importance: Low
We're running fw-1 3.0b on Solaris 2.6. Patches and service packs should be
up-to-date within a few months. Had a glitch show up last night that I don't
recall catching before.
A few minutes before midnight, we run "$BINDIR/fw logswitch
$LOGDIR/${DATE}.log" to start a new log file. The renamed log file for the
previous day is processed using "$BINDIR/fw logexport -n -i
$LOGDIR/${DATE}.log -o $LOGDIR/${DATE}.export.ip". The exported file is used
for subsequent processing.
The glitch is in the order of fields in the exported file. I've included
only the header line (emphasis is mine), but the log data is consistent with
the header line, in each file.
For 21Aug, the export correctly yields:
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;SRC;dst;service;
s_port;len;rule;icmp-type;icmp-code;sys_msgs
I have rerun the export against the switched file and the results are the
same.
For 22Aug, the export incorrectly yields:
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;dst;service;s_po
rt;len;rule;SRC;icmp-type;icmp-code;sys_msgs
Note the relative positions of the "src" field. This too is the same when
rerun from the switched file.
For 23Aug, using the fw.log file in use, the export correctly yields:
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;SRC;dst;service;
s_port;len;rule;icmp-type;icmp-code;sys_msgs
I ran this only once, but will get another look at it tomorrow morning after
fw.log is switched by the cron job.
Since the export is consistent with subsequent runs from the same switched
log file, the problem appears to be within the switched log file, not with
the export process.
So.
Exercise for the student:
:-}>
What causes this, especially since it seems to have happened on only one day
and was miraculously fixed the next? Extra credit: Is there a configuration
file (or whatever) in which the field order is set, or is this cast in steel
from the getgo? I'm wondering if a field order file (or whatever) was missed
that night and a default order was used instead...
Thanks for any help...
Chuck Sterling
System/Network Administrator
NASA White Sands Test Facility
Magic is REAL, unless declared INTEGER.
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
