Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
14.04.2011
Introduction
We are using Loggrabber to grab logs from the Checkpoint devices. There have to be done some installation processes on the AlienVault Unified SIEM (OSSIM) and configurations on the Checkpoint.
To integrate a checkpoint fw1, we have two cases depends you use a certificate or not. This one is with certificate. Both of them, you will need fw1-loggraber. To use it in a 64bits machine you need install the ia32libs with:
apt-get install lib32stdc++6 ia32-libs
If you can not find fw1-loggrabber-1.11.1-linux.tar.gz under /usr/share/ossim/www/downloads/, then download fw1-loggrabber tool here:
http://sourceforge.net/projects/fw1-loggrabber/
Check env, if this variables are really set. If you are installed the tool fine, you should find the directory structure in /usr/local/fw1-loggrabber/ Copy the fw1-loggrabber.conf and lea.conf of the reuserguideforossim.zip into the following folders
/usr/local/fw1-loggrabber/etc/fw1-loggrabber.conf /usr/local/fw1-loggrabber/etc/lea.conf
In the first file (fw1-loggrabber.conf), you assign the output file for logs. The second file is to configure the device ip and, optionaly the checkpoint certificate. Check if the OUTPUT_FILE_PREFIX=/var/log/ossim/fw1-loggrabber is equal to the logpath in the /etc/ossim/agent/plugins/fw1ngr60.cfg plugin. Then, run this proccess
/usr/local/fw1-loggrabber/bin/fw1-loggrabber c /usr/local/fw1loggrabber/etc/fw1-loggrabber.conf l /usr/local/fw1-loggrabber/etc/lea.conf
3
3.1
Configuring Checkpoint
Enable LEA client in the firewall:
Configure details:
Click on Communication and set the password for the loggrabber client authentication to download the certificate.
3.2
Functionality tests
Attention!: This logfile depends on your loggrabber configuration file, so it could be different. Troubleshooting if you have problems getting the logs try the following command it will give you more debug details if you set the debug level like here.
/usr/local/fw1-loggrabber/bin/fw1-loggrabber -c /usr/local/fw1-loggrabber/etc/fw1loggrabber.conf -l /usr/local/fw1-loggrabber/etc/lea.conf --debug-level 5
lea_server auth_type sslca lea_server ip <CHECKPOINT FW IP> lea_server auth_port 18184 lea_server port 18184 opsec_sic_name "CN=ossim_blabla,O=cpR70..fb6rr6" opsec_sslca_file /usr/local/fw1-loggrabber/etc/opsec.p12 #opsec_sic_policy_file "my_sic_policy.conf" lea_server opsec_entity_sic_name "cn=cp_mgmt,o=cpR70..fb6rr6"
4.2
Fw1-loggrabber.conf
DEBUG_LEVEL="0" FW1_LOGFILE="fw.log" FW1_OUTPUT="logs" FW1_TYPE="ng" FW1_MODE="normal" ONLINE_MODE="yes" RESOLVE_MODE="no" SHOW_FIELDNAMES="yes" RECORD_SEPARATOR="|" DATEFORMAT="std" LOGGING_CONFIGURATION=file OUTPUT_FILE_PREFIX="/var/log/ossim/fw1-loggrabber" OUTPUT_FILE_ROTATESIZE=104857600 SYSLOG_FACILITY="LOCAL1"