Sei sulla pagina 1di 8

Getting Logs from Checkpoint with Loggrabber (tested with R70)

14.04.2011

Pascal Cronauer Version 1.0

Introduction

We are using Loggrabber to grab logs from the Checkpoint devices. There have to be done some installation processes on the AlienVault Unified SIEM (OSSIM) and configurations on the Checkpoint.

Installation Process (OSSIM)

To integrate a checkpoint fw1, we have two cases depends you use a certificate or not. This one is with certificate. Both of them, you will need fw1-loggraber. To use it in a 64bits machine you need install the ia32libs with:
apt-get install lib32stdc++6 ia32-libs

If you can not find fw1-loggrabber-1.11.1-linux.tar.gz under /usr/share/ossim/www/downloads/, then download fw1-loggrabber tool here:
http://sourceforge.net/projects/fw1-loggrabber/

Untar the fw1-loggrabber-1.11.1-linux.tar.gz with the following command:


tar xvzf fw1-loggrabber-1.11.1-linux.tar.gz

Install the untared packeges with


./INSTALL.sh

Declare this two variables in /etc/profile:


export LOGGRABBER_CONFIG_PATH=/usr/local/fw1-loggrabber/etc export LOGGRABBER_TEMP_PATH=/tmp

Check env, if this variables are really set. If you are installed the tool fine, you should find the directory structure in /usr/local/fw1-loggrabber/ Copy the fw1-loggrabber.conf and lea.conf of the reuserguideforossim.zip into the following folders
/usr/local/fw1-loggrabber/etc/fw1-loggrabber.conf /usr/local/fw1-loggrabber/etc/lea.conf

In the first file (fw1-loggrabber.conf), you assign the output file for logs. The second file is to configure the device ip and, optionaly the checkpoint certificate. Check if the OUTPUT_FILE_PREFIX=/var/log/ossim/fw1-loggrabber is equal to the logpath in the /etc/ossim/agent/plugins/fw1ngr60.cfg plugin. Then, run this proccess
/usr/local/fw1-loggrabber/bin/fw1-loggrabber c /usr/local/fw1loggrabber/etc/fw1-loggrabber.conf l /usr/local/fw1-loggrabber/etc/lea.conf

3
3.1

Configuring Checkpoint
Enable LEA client in the firewall:

Click on New and configure details:

Configure details:

Click on Communication and set the password for the loggrabber client authentication to download the certificate.

DN LDAP is generated for the host, including the loggrabber client.

3.2

Download the certificat from the client box

opsec_pull_cert h ip_address n OSSIM_R37_LEA p password

Functionality tests

Check if you have get logs from the Checkpoint Firewall:


/var/log/ossim/fw1.log

Attention!: This logfile depends on your loggrabber configuration file, so it could be different. Troubleshooting if you have problems getting the logs try the following command it will give you more debug details if you set the debug level like here.
/usr/local/fw1-loggrabber/bin/fw1-loggrabber -c /usr/local/fw1-loggrabber/etc/fw1loggrabber.conf -l /usr/local/fw1-loggrabber/etc/lea.conf --debug-level 5

Configuration files Loggrabber


4.1 Lea.conf

lea_server auth_type sslca lea_server ip <CHECKPOINT FW IP> lea_server auth_port 18184 lea_server port 18184 opsec_sic_name "CN=ossim_blabla,O=cpR70..fb6rr6" opsec_sslca_file /usr/local/fw1-loggrabber/etc/opsec.p12 #opsec_sic_policy_file "my_sic_policy.conf" lea_server opsec_entity_sic_name "cn=cp_mgmt,o=cpR70..fb6rr6"

4.2

Fw1-loggrabber.conf

DEBUG_LEVEL="0" FW1_LOGFILE="fw.log" FW1_OUTPUT="logs" FW1_TYPE="ng" FW1_MODE="normal" ONLINE_MODE="yes" RESOLVE_MODE="no" SHOW_FIELDNAMES="yes" RECORD_SEPARATOR="|" DATEFORMAT="std" LOGGING_CONFIGURATION=file OUTPUT_FILE_PREFIX="/var/log/ossim/fw1-loggrabber" OUTPUT_FILE_ROTATESIZE=104857600 SYSLOG_FACILITY="LOCAL1"

Potrebbero piacerti anche