Hi
I am attemting to write decoder and some rules to get Checkpoint firewall
audit logs into ossec.
i am getting checkpoint logs by syslog to separated file monitored by ossec
server.
my firewall log looks like that:
May 28 15:43:39 192.168.11.100 Checkpoint: 1:38:54 accept
192.168.11.100< ObjectName: cpmodule; ObjectType:
firewall_application; ObjectTable:
applications; Operation: Install Policy; Uid:
{776C2062-145B-11DD-93F0-000000008989}; Administrator: admin; Machine: none;
Subject: Policy Installation; Audit Status: Success; Additional Info:
Security Policy : Standard; Operation Number: 7; product: SmartDashboard;
i added decoder to the end of decoder.xml:
<decoder name="checkpoint-syslog-audit">
<parent>checkpoint-syslog</parent>
<type>syslog</type>
<prematch offset="after_parent">^accept</prematch>
<regex offset="after_parent">^\w+\s(\d+.\d+.\d+.\d+)\W+.+Operation:
([^;]+)</regex>
<order>srcip, action</order>
</decoder>
in the local_rules.xml i added one rule:
<rule id="110001" level="3">
<decoded_as>checkpoint-syslog-audit</decoded_as>
<description>Checkpoint firewall policy installation</description>
</rule>
but still see nothing in the alerts.log
Does anyone has any clue?
Thanks.
