On Wed, Feb 29, 2012 at 11:58 AM, dan (ddp) <[email protected]> wrote: > On Wed, Feb 29, 2012 at 5:05 AM, C. L. Martinez <[email protected]> wrote: >> On Tue, Feb 28, 2012 at 3:27 PM, C. L. Martinez <[email protected]> wrote: >>> Hi all, >>> >>> I am wrong, or do not exists rules and decoder to process CheckPoint >>> Firewall-1 logs?? >>> >>> Thanks. >> >> Oops ... Sorry, my mistake. I see it. But I need to parse CHKP logs >> from an export log and not from syslog ... If I am not wrong, I need >> to write a new decoder and after that some rules. >> >> I am trying to write this decoder, without luck. My sample log: >> >> "Number" "Date" "Time" "Interface" "Origin" "Type" "Action" "Service" >> "Source Port" "Source" "Destination" "Protocol" "Rule" "Rule Name" >> "Current Rule Number" "User" "Information" "Product" "Source Machine >> Name" "Source User Name" >> "2" "26Feb2012" "23:58:58" "Lan2" "CHCKPNT1" "Log" "Accept" "https" >> "1638" "192.168.55.23" "10.45.23.11" "tcp" "52" "WK01" "52-Standard" >> "" "service_id: https" "VPN-1 Power/UTM" "" "" >> >> My first try: >> >> <decoder name="custom-checkpoint"> >> <program_name>^CHCKPNT1</program_name> > > Is that what ossec-logtest says the program_name is? >
Nop, Another mistake of mine. ... program_name doesn't exists in my logs. I need to filter by firewall name, CHKPNT1 and after by action,port,srcip,dstip ....
