diff --git a/Makefile b/Makefile index 1ee1d00..c51d2cf 100644 --- a/Makefile +++ b/Makefile @@ -42,7 +42,6 @@ INSTALL_DIR = /usr/local/fw1-loggrabber INSTALL_BIN_DIR=${INSTALL_DIR}/bin INSTALL_ETC_DIR=${INSTALL_DIR}/etc INSTALL_LIB_DIR=${INSTALL_DIR}/lib -INSTALL_MAN_DIR=${INSTALL_DIR}/man TEMP_DIR=/tmp %.o: %.c @@ -58,12 +57,10 @@ install: @install -v -o root -g root -m 755 -d ${INSTALL_BIN_DIR} @install -v -o root -g root -m 755 -d ${INSTALL_ETC_DIR} @install -v -o root -g root -m 755 -d ${INSTALL_LIB_DIR} - @install -v -o root -g root -m 755 -d ${INSTALL_MAN_DIR}/man1 @install -v -o root -g root -m 755 -p fw1-loggrabber ${INSTALL_BIN_DIR}/fw1-loggrabber @install -v -o root -g root -m 644 -p fw1-loggrabber.conf ${INSTALL_ETC_DIR}/fw1-loggrabber.conf-sample @install -v -o root -g root -m 644 -p lea.conf ${INSTALL_ETC_DIR}/lea.conf-sample @install -v -o root -g root -m 644 -t ${INSTALL_LIB_DIR} ${OPSEC_LIB_DIR}/*.so - @install -v -o root -g root -m 644 -p fw1-loggrabber.1 ${INSTALL_MAN_DIR}/man1/fw1-loggrabber.1 @echo @echo "Installation complete! Please declare the following environment variables in your shell configuration file:" @echo diff --git a/README.md b/README.md index 1ee3969..c788752 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ Then run ``make`` to build and ``sudo make install`` to install into default loc ## Documentation -Documentation is available both as a [wiki page](https://github.com/certego/fw1-loggrabber/wiki/FW1-LOGGRABBER) and as a [man page](https://raw.githubusercontent.com/certego/fw1-loggrabber/master/fw1-loggrabber.1). +Documentation is available as a [GitHub wiki page](https://github.com/certego/fw1-loggrabber/wiki/FW1-LOGGRABBER). ## License diff --git a/fw1-loggrabber.1 b/fw1-loggrabber.1 deleted file mode 100644 index 008b49a..0000000 --- a/fw1-loggrabber.1 +++ /dev/null @@ -1,925 +0,0 @@ -.\" Process this file with -.\" groff -man -Tascii fw1-loggrabber.1 -.\" -.TH FW1-LOGGRABBER "April 2014" Unix "User Manuals" -.SH NAME -fw1-loggrabber \- a command line LEA-client for Checkpoint Firewall-1 -.SH SYNOPSIS -.B fw1-loggrabber [--options] -.SH DESCRIPTION -.B fw1-loggrabber -is a commandline LEA client is a command-line LEA-client for Checkpoint FW-1. -Using this tool, it's possible to get FW-1 logging data from remote using -Checkpoints proprietary LEA protocol, which is a part of their OPSEC API. -.SH SOURCE CODE -The source code of \fBfw1-loggrabber\fR is available on both: -.RS -https://github.com/certego/fw1-loggrabber (v2.0) -.RE -.RS -http://sourceforge.net/projects/fw1-loggrabber (v1.11) -.RE -.SH INSTALLATION -Beginning with v2.0, \fBfw1-loggrabber\fR includes a Makefile in order to build and -install from source code on the Linux platform. You should first modify the -settings inside Makefile according to your environment. By default, the script -installs \fBfw1-loggrabber\fR to /usr/local/fw1-loggrabber. -The install script also prompts you for adding two environment variables to your -shell configuration file which will be explained in the following section. -.SH ENVIRONMENT VARIABLES -\fBfw1-loggrabber\fR makes use of two environment variables, which should be defined -in the shell configuration file: -.RS - -LOGGRABBER_CONFIG_PATH: this variable defines a directory where \fBfw1-loggrabber\fR -searches its configuration files (fw1-loggrabber.conf, lea.conf). If this variable is not -defined, \fBfw1-loggrabber\fR looks in the current directory for these configuration files. -.RE -.RS - -LOGGRABBER_TEMP_PATH: this variable defines a directory where \fBfw1-loggrabber\fR stores -temporary files. If this variable is not defined, \fBfw1-loggrabber\fR stores these files -in the current directory. -.RE -.SH OPTIONS -In the following lines, all available command line options are described in detail. Most -of the options can also be configured using the configuration file \fBfw1-loggrabber.conf\fR -(see \fB--configfile\fR option to use a different configuration file). The precedence of given -options is as follows: commandline, configuration file, default value. E.g. if you set the -resolve-mode to be used in the configuration file, this can be overwritten by -commandline option \fB--noresolve\fR. Only if an option isn't set neither on commandline nor in -the configuration file, the default value will be used. -.TP -.B -f , --logfile -With these parameters, the name of the FW-1 logfile to be read, can be specified. This -can be either done exactly or using only a part of the filename. If no exact match can -be found in the list of logfiles returned by the FW-1 management station, all logfiles -which contain the specified string are processed. A special case is the usage of \fBALL\fR -instead of a logfile name or pattern. In that case all logfiles that are available -on the management station, will be processed. If this parameter is omitted, only the default -logfile fw.log will be processed. E.g. -.RS - ---logfile 2003-03-27_213652.log -.RE -.RS ---logfile 2003-03 -.RE -.RS - -The first example display the logfile 2003-03-27_213652.log, the second one processes -all logfiles which contain 2003-03 in their filename. -.RE -.TP -.B -c , --configfile -These options allow to specify a non-default configuration file, in which most -of the commandline options can be configured as well as other options, which are -not available as commandline parameters. If this parameter is omitted, the file -\fBfw1-loggrabber.conf\fR in the current directory will be used. See below for a -description of all available configuration file options. -.TP -.B -l , --leaconfigfile -Using one of these options, it's possible to use a non-default LEA configuration -file. In this file, all connection parameters such as FW-1 server, port, authentication -method as well as sic names have to be configured. That's the usual configuration -procedure for OPSEC applications. If this parameter is omitted, the file -\fBlea.conf\fR in the current directory will be used. See below for a description -of all available LEA configuration file options. -.TP -.B --resolve -Using the \fB--resolve\fR option, IP addresses will be resolved to names using -FW-1 name resolving behaviour. This resolving mechanism will not cause the machine -running \fBfw1-loggrabber\fR to initiate DNS requests, but the name resolution will -be done directly on the FW-1 machine. Enabled name resolution is also the default -behaviour of \fBfw1-loggrabber\fR. -.TP -.B --noresolve -In contrast to \fB--resolve\fR, the option \fB--no-resolve\fR will cause IP addresses -to be displayed in log output instead of names. -.TP -.B --showfiles -The option \fB--showfiles\fR can be used to simply show the available logfiles on -the FW-1 management station. After the names of the logfiles have been displayed, -\fBfw1-loggrabber\fR quits. -.TP -.B --showlogs -The default behaviour of \fBfw1-loggrabber\fR is to -display the content of the logfiles and not just their names. This can be explicitely -specified using the \fB--showlogs\fR option. -.TP -.B --2000 -The option \fB--2000\fR has to be used if you want to connect to CP FW-1 4.1 (2000) -firewalls. You have to consider, that some options are not available for non-NG -firewalls. These include \fB--auth\fR, \fB--showfiles\fR, \fB--auditlog\fR and -some other options. -.TP -.B --ng -The default FW-1 version, for which this tool is being developed, is CP FW-1 5.0 (NG), -which is the default version, is no version is explicitely specified. -.TP -.B --online -Using online mode, \fBfw1-loggrabber\fR starts output of logging data at the end of -the specified logfile (or fw.log if no logfilename has been specified). All future -log entries will be displayed. If you use \fB--logfile\fR to specify another logfile -to be processed, you have to consider that no data will be shown, if the file isn't -active anymore. This mode is mainly used for continuously processing FW-1 log data -and continues to display log entries also after scheduled and manual log switches. -.TP -.B --no-online -In contrast to online mode, \fBfw1-loggrabber\fR quits after having displayed the last -log entry, when running in offline mode. This is the default behaviour and is mainly -used for analysis of historic log data. -.TP -.B --auditlog -Using the audit mode, content of the audit logfile (fw.adtlog) can be displayed. This -includes administrator actions and uses different fields than normal log data. -.TP -.B --normallog -The default mode of \fBfw1-loggrabber\fR processes normal FW-1 logfiles. In contrast -to the \fB--auditlog\fR option, no admistration actions are displayed in this mode, but -all regular log data. -.TP -.B --filter \*(lq[;]\*(rq -Using one or multiple \fB--filter\fR options, you are able to filter log entries in -order to see only entries which match your filter rules. You can specify multiple -filter rules using multiple \fB--filter\fR options. All filter rules are related by -OR, i.e. if you specify multiple rules, a log entry will be displayed if one of the -rules matches. Within one filter rule, you can specify multiple arguments. All of these -arguments are related by AND, i.e. a single filter rule only matches a given log entry -if the log entry is matched by all arguments. A more detailed description of filter rules -you can find below in a separate chapter about filtering which also provides various examples. -.TP -.B --debuglevel <0-3> -Sets the debuglevel to the specified value. A debuglevel of 0 means no output of -debug informations. Further debuglevels will cause output of program specific as well -as OPSEC specific debug informations. -.TP -.B --ignore-fields \*(lq[;]\*(rq -A list of one or more field names to skip when outputting the log messages. -.TP -.B --help -Use \fB--help\fR to display basic help and usage information. For further help, please -refer to the man page. -.SH LEA CONFIGURATION FILE -Starting with version 1.11, \fBfw1-loggrabber\fR uses the default connection configuration -procedure for OPSEC applications. This includes server, port and authentication settings. -From now on, all this parameters can only be configured using the configuration file -\fBlea.conf\fR (see \fB--leaconfigfile\fR option to use a different LEA configuration -file) and not using the command-line as before. -.TP -.B lea_server ip -This parameter specifies the IP address of the FW1 management station, to which -\fBfw1-loggrabber\fR should connect to. -.TP -.B lea_server port -The port on the FW1 management station, to which \fBfw1-loggrabber\fR should connect to, -can be specified using this option. If you want to use authenticated connections to -your firewall, you have to use \fBlea_server auth_port\fR instead. -.TP -.B lea_server auth_port -In contrast to the previous option, this one has to be used for specifying the port -to be used for authenticated connection to your FW1 management station. -.TP -.B lea_server auth_type -If you want to use authenticated connections to your FW1 management station, you -can use this parameter to specify the authentication mechnismn to be used. If this -parameter is omitted, \fBfw1-loggrabber\fR defaults to \fBsslca\fR. Supported values -in this field are: sslca, sslca_clear, sslca_comp, sslca_rc4, sslca_rc4_comp, -asym_sslca, asym_sslca_comp, asym_sslca_rc4, asym_sslca_rc4_comp, ssl, ssl_opsec, -ssl_clear, ssl_clear_opsec, fwn1 and auth_opsec. -.TP -.B opsec_sslca_file -When using authenticated connections, this parameter has to be used in order to -specify the location of the PKCS#12 certificate. -.TP -.B opsec_sic_name "" -This parameter is also only necessary when using authenticated connections. -In that case the SIC name of the LEA-client has to be specified using this parameter. -.TP -.B lea_server opsec_entity_sic_name "" -Similar to \fBopsec_sic_name\fR you have to specify the SIC name of your FW1 -management station using this parameter when using authenticated connections.. -.SH CONFIGURATION FILE -This paragraph deals with the options that can be set within the configuration file. -The default configuration file is \fBfw1-loggrabber.conf\fR which should be in the -current directory. (see \fB--configfile\fR option to use a different configuration file). -The precedence of given -options is as follows: commandline, configuration file, default value. E.g. if you set the -resolve-mode to be used in the configuration file, this can be overwritten by -commandline option \fB--noresolve\fR. Only if an option isn't set neither on commandline nor in -the configuration file, the default value will be used. -.TP -.B DEBUG_LEVEL=<0-3> -Sets the debuglevel to the specified value. A debuglevel of 0 means no output of -debug informations. Further debuglevels will cause output of program specific as well -as OPSEC specific debug informations. This parameter can be overwritten by -\fB--debug-level\fR command-line option. -.TP -.B FW1_LOGFILE= -With this parameter, the name of the FW-1 logfile to be read, can be specified. This -can be either done exactly or using only a part of the filename. If no exact match can -be found in the list of logfiles returned by the FW-1 management station, all logfiles -which contain the specified string are processed. If this parameter is omitted, the default -logfile fw.log will be processed. -The correspondent command-line parameter is \fB--logfile\fR. -.TP -.B FW1_OUTPUT= -This parameter simply specifies whether \fBfw1-loggrabber\fR should only display the -available logfiles (files) on the FW-1 server or display the content of the logfiles (logs). -The correspondent command-line parameters are \fB--showfiles\fR and \fB--showlogs\fR. -.TP -.B FW1_TYPE= -Using this parameter you can choose to which version of FW-1 to connect to. For Checkpoint -FW-1 5.0 (NG) you have to specify NG and for Checkpoint FW-1 4.1 (2000) you have to specify 2000. -The correspondent command-line parameters are \fB--2000\fR and \fB--ng\fR. -.TP -.B FW1_MODE= -This parameter enables you to specify whether to display audit logs which contain -administrative actions of normal security logs, which contain data about dropped and -accepted connections. -The correspondent command-line parameters are \fB--auditlog\fR and \fB--normallog\fR. -.TP -.B ONLINE_MODE= -Using online mode, \fBfw1-loggrabber\fR starts output of logging data at the end of -the specified logfile (or fw.log if no logfilename has been specified). All future -log entries will be displayed. If you use \fB--logfile\fR to specify another logfile -to be processed, you have to consider that no data will be shown, if the file isn't -active anymore. This mode is mainly used for continuously processing FW-1 log data. -If you disable online mode, \fBfw1-loggrabber\fR quits after having displayed the last -log entry. This is the default behaviour and is mainly -used for analysis of historic log data. -The correspondent command-line parameters are \fB--online\fR and \fB--no-online\fR. -.TP -.B RESOLVE_MODE= -With this option, IP addresses will be resolved to names using -FW-1 name resolving behaviour. This resolving mechanism will not cause the machine -running \fBfw1-loggrabber\fR to initiate DNS requests, but the name resolution will -be done directly on the FW-1 machine. Enabled name resolution is also the default -behaviour of \fBfw1-loggrabber\fR. -If you disable resolving mode this will cause IP addresses -to be displayed in log output instead of names. -The correspondent command-line parameters are \fB--resolve\fR and \fB--no-resolve\fR. -.TP -.B RECORD_SEPARATOR= -This parameter can be used to change the default record separator (|) into another character. -If you choose a character which is contained in some log data, the occurrence within the -logdata will be escaped by a backslash. -.TP -.B LOGGING_CONFIGURATION= -The \fBLOGGING_CONFIGURATION\fR parameter can be used for redirection of logging output to -other destinations than the default destination STDOUT, i.e. screen. Currently it's possible -to redirect output to a file or to syslog daemon (Unix only). Using the parametes -\fBOUTPUT_FILE_PREFIX\fR and \fBOUTPUT_FILE_ROTATESIZE\fR, you can specify more details, -if you choose to redirect the output to a file. -.TP -.B OUTPUT_FILE_PREFIX= -This parameter can be used to define a prefix for the output filename. Eventually the output -file will get the suffix \fB.log\fR respectively a datestamp when it gets rotated. The -default value for this prefix is simply \fBfw1-loggrabber\fR. This parameter will only be -used if \fBLOGGING_CONFIGURATION\fR is set to \fBfile\fR. -.TP -.B OUTPUT_FILE_ROTATESIZE= -Using this parameter you can specify the maximum size of the output files, before they will -be rotated. If the size of the output file exceeds the given value, the logfile will be rotated -to -YYYY-MM-DD-hhmmss[-x].log. The default value is 1048576 bytes, -which equals 1 megabyte. It should be obvious -that this parameter will only be used if \fBLOGGING_CONFIGURATION\fR is set to \fBfile\fR. -.TP -.B SYSLOG_FACILITY= -This parameter can be used to set the syslog facility to be used (Unix only). -Obviously this is only effective when running \fBfw1-loggrabber\fR with -\fBLOGGING_CONFIGURATION=SYSLOG\fR. -.TP -.B FW1_FILTER_RULE=\*(lq[;]\*(rq -When using this option in the configuration file, you can define filters for normal log-mode in -the configuration file instead of a commandline option. You can specify multiple -filter rules using multiple \fBFW1_FILTER_RULE\fR lines. All filter rules are related by -OR, i.e. if you specify multiple rules, a log entry will be displayed if one of the -rules matches. Within one filter rule, you can specify multiple arguments. All of these -arguments are related by AND, i.e. a single filter rule only matches a given log entry -if the log entry is matched by all arguments. A more detailed description of filter rules -you can find below in a separate chapter about filtering which also provides various examples. -.TP -.B AUDIT_FILTER_RULE=\*(lq[;]\*(rq -In contrast to \fBFW1_FILTER_RULE\fR, \fBAUDIT_FILTER_RULE\fR allows definitions of filters -for auditlog-mode within the configuration file. -.TP -.B IGNORE_FIELDS=\*(lq[;]\*(rq -A list of one or more field names to skip when outputting the log messages. -.TP -.B DATEFORMAT= -Using the \fBDATEFORMAT\fR option, you can choose between three different date formats -for output of date fields. The value \fBCP\fR provides the standard Checkpoing date -format ( 3Feb2004 14:15:16). Using the values \fBUNIX\fR or \fBSTD\fR you can change -this into standard Unix time format (1051655431) or into a standardized human-readable -format (2004-02-03 14:15:16). -.SH CONFIGURE FW-1 -For both authenticated and unauthenticated connections of \fBfw1-loggrabber\fR to -FW-1 servers there is the need for additional configuration on both the FW-1 side and -the \fBfw1-loggrabber\fR side. This section describes the necessary steps to successfully -establish a connection. -.TP -.B Unauthenticated connections to FW-1 4.1 or NG -.RS -\fIConfiguration of FW-1 server:\fR -.RE -.RS - -- modify $FWDIR/conf/fwopsec.conf and define the port to be used for unauthenticated -lea connections (e.g. 50001): -.RE -.RS -.RS -lea_server port 50001 -.RE -.RS -lea_server auth_port 0 -.RE -.RE -.RS - -- bounce FW-1 in order to activate changes -.RE -.RS -.RS -[4.1] fwstop ; fwstart -.RE -.RS -[NG] cpstop ; cpstart -.RE -.RE -.RS - -\fIConfiguration of FW-1 policy:\fR -.RE -.RS - -- add a rule to the policy to allow the port defined above from the \fBfw1-loggrabber\fR -machine to the FW-1 management server. -.RE -.RS - -- install the policy -.RE -.RS - -\fIConfiguration of fw1-loggrabber:\fR -.RE -.RS - -- modify lea.conf and define the ip address of your FW1 management station (e.g. 10.1.1.1) and port -(e.g. 50001) for unauthenticated lea connections: -.RE -.RS -.RS -lea_server ip 10.1.1.1 -.RE -.RS -lea_server port 50001 -.RE -.RE -.TP -.B Authenticated connections to FW-1 4.1 -.RS -\fIConfiguration of FW-1 server:\fR -.RE -.RS - -- modify $FWDIR/conf/fwopsec.conf and define the port to be used for authenticated -lea connections (e.g. 18184): -.RE -.RS -.RS -lea_server port 0 -.RE -.RS -lea_server auth_port 18184 -.RE -.RS -lea_server auth_type auth_opsec -.RE -.RE -.RS - -- bounce FW-1 in order to activate changes -.RE -.RS -.RS -[4.1] fwstop ; fwstart -.RE -.RE -.RS - -- set a password (e.g. abc123) for the LEA client (e.g. 10.1.1.2) -.RE -.RS -.RS -[4.1] fw putkey -opsec -p abc123 10.1.1.2 -.RE -.RE -.RS - -\fIConfiguration of FW-1 policy:\fR -.RE -.RS - -- add a rule to the policy to allow the port defined above from the \fBfw1-loggrabber\fR -machine to the FW-1 management server. -.RE -.RS - -- install the policy -.RE -.RS - -\fIConfiguration of fw1-loggrabber:\fR -.RE -.RS - -- modify lea.conf and define the ip address of your FW1 management station (e.g. 10.1.1.1) as well as -port (e.g. 18184) and authentication type for authenticated lea connections: -.RE -.RS -.RS -lea_server ip 10.1.1.1 -.RE -.RS -lea_server auth_port 18184 -.RE -.RS -lea_server auth_type auth_opsec -.RE -.RE -.RS - -- set password for the connection to the LEA server. The password has to be the same -as specified on the LEA server. -.RE -.RS -.RS -opsec_putkey -p abc123 10.1.1.1 -.RE -.RE -.TP -.B Authenticated connections to FW-1 NG using ssl_opsec -.RS -\fIConfiguration of FW-1 server:\fR -.RE -.RS - -- modify $FWDIR/conf/fwopsec.conf and define the port to be used for authenticated -lea connections (e.g. 18184): -.RE -.RS -.RS -lea_server port 0 -.RE -.RS -lea_server auth_port 18184 -.RE -.RS -lea_server auth_type ssl_opsec -.RE -.RE -.RS - -- bounce FW-1 in order to activate changes -.RE -.RS -.RS -[NG] cpstop ; cpstart -.RE -.RE -.RS - -- set a password (e.g. abc123) for the LEA client (e.g. 10.1.1.2) -.RE -.RS -.RS -[NG] fw putkey -ssl -p abc123 10.1.1.2 -.RE -.RE -.RS - -\fIConfiguration of FW-1 policy:\fR -.RE -.RS - -- create a new Opsec Application Object with the following details: -.RE -.RS -.RS -- Name: e.g. myleaclient -.RE -.RS -- Vendor: User Defined -.RE -.RS -- Server Entities: None -.RE -.RS -- Client Entities: LEA -.RE -.RE -.RS - -- initialize Secure Internal Communication (SIC) for recently created -Opsec Application Object and enter (and remember) the activation key (e.g. def456) -.RE -.RS - -- write down the DN of the recently created Opsec Application Object. This is your -Client Distinguished Name, which you need later on. -.RE -.RS - -- open the object of your FW-1 management server and write down the DN of that object. -This is the Server Distinguished Name, which you will need later on. -.RE -.RS - -- add a rule to the policy to allow the port defined above as well as port 18210/tcp -(FW1_ica_pull) in order to allow pulling of PKCS#12 certificate from the \fBfw1-loggrabber\fR -machine to the FW-1 management server. The port 18210/tcp can be shut down after the -communication between \fBfw1-loggrabber\fR and the FW-1 management server has been established -successfully. -.RE -.RS - -- install the policy -.RE -.RS - -\fIConfiguration of fw1-loggrabber:\fR -.RE -.RS - -- modify lea.conf and define the ip address of your FW1 management station (e.g. 10.1.1.1) as well as -port (e.g. 18184), authentication type and SIC names for authenticated lea connections. The SIC names -you can get from the object properties of your LEA client object respectively the Management Station -object (see above for details about Client DN and Server DN). -.RE -.RS -.RS -lea_server ip 10.1.1.1 -.RE -.RS -lea_server auth_port 18184 -.RE -.RS -lea_server auth_type ssl_opsec -.RE -.RS -opsec_sslca_file opsec.p12 -.RE -.RS -opsec_sic_name "CN=myleaclient,O=cpmodule..gysidy" -.RE -.RS -lea_server opsec_entity_sic_name "cn=cp_mgmt,o=cpmodule..gysidy" -.RE -.RE -.RS - -- set password for the connection to the LEA server. The password has to be the same -as specified on the LEA server. -.RE -.RS -.RS -opsec_putkey -ssl -p abc123 10.1.1.1 -.RE -.RE -.RS - -- get the tool opsec_pull_cert either from opsec-tools.tar.gz from the project -home page or directly from the OPSEC SDK. This tool is needed to establish the -Secure Internal Communication (SIC) between \fBfw1-loggrabber\fR and the FW-1 -management server. -.RE -.RS - -- get the clients certificate from the management station (e.g. 10.1.1.1). The activation key has -to be the same as specified before in the firewall policy. -.RE -.RS -.RS -opsec_pull_cert -h 10.1.1.1 -n myleaclient -p def456 -.RE -.RE - -.B Authenticated connections to FW-1 NG using sslca -.RS -\fIConfiguration of FW-1 server:\fR -.RE -.RS - -- modify $FWDIR/conf/fwopsec.conf and define the port to be used for authenticated -lea connections (e.g. 18184): -.RE -.RS -.RS -lea_server port 0 -.RE -.RS -lea_server auth_port 18184 -.RE -.RS -lea_server auth_type sslca -.RE -.RE -.RS - -- bounce FW-1 in order to activate changes -.RE -.RS -.RS -[NG] cpstop ; cpstart -.RE -.RE -.RS - -\fIConfiguration of FW-1 policy:\fR -.RE -.RS - -- create a new Opsec Application Object with the following details: -.RE -.RS -.RS -- Name: e.g. myleaclient -.RE -.RS -- Vendor: User Defined -.RE -.RS -- Server Entities: None -.RE -.RS -- Client Entities: LEA -.RE -.RE -.RS - -- initialize Secure Internal Communication (SIC) for recently created -Opsec Application Object and enter (and remember) the activation key (e.g. def456) -.RE -.RS - -- write down the DN of the recently created Opsec Application Object. This is your -Client Distinguished Name, which you need later on. -.RE -.RS - -- open the object of your FW-1 management server and write down the DN of that object. -This is the Server Distinguished Name, which you will need later on. -.RE -.RS - -- add a rule to the policy to allow the port defined above as well as port 18210/tcp -(FW1_ica_pull) in order to allow pulling of PKCS#12 certificate from the \fBfw1-loggrabber\fR -machine to the FW-1 management server. The port 18210/tcp can be shut down after the -communication between \fBfw1-loggrabber\fR and the FW-1 management server has been established -successfully. -.RE -.RS - -- install the policy -.RE -.RS - -\fIConfiguration of fw1-loggrabber:\fR -.RE -.RS - -- modify lea.conf and define the ip address of your FW1 management station (e.g. 10.1.1.1) as well as -port (e.g. 18184), authentication type and SIC names for authenticated lea connections. The SIC names -you can get from the object properties of your LEA client object respectively the Management Station -object (see above for details about Client DN and Server DN). -.RE -.RS -.RS -lea_server ip 10.1.1.1 -.RE -.RS -lea_server auth_port 18184 -.RE -.RS -lea_server auth_type sslca -.RE -.RS -opsec_sslca_file opsec.p12 -.RE -.RS -opsec_sic_name "CN=myleaclient,O=cpmodule..gysidy" -.RE -.RS -lea_server opsec_entity_sic_name "cn=cp_mgmt,o=cpmodule..gysidy" -.RE -.RE -.RS - -- get the tool opsec_pull_cert either from opsec-tools.tar.gz from the project -home page or directly from the OPSEC SDK. This tool is needed to establish the -Secure Internal Communication (SIC) between \fBfw1-loggrabber\fR and the FW-1 -management server. -.RE -.RS - -- get the clients certificate from the management station (e.g. 10.1.1.1). The activation key has -to be the same as specified before in the firewall policy. After that copy the resulting PKCS#12 file -(default: opsec.p12) to your \fBfw1-loggrabber\fR directory. -.RE -.RS -.RS -opsec_pull_cert -h 10.1.1.1 -n myleaclient -p def456 -.RE -.RE - -.RE -.SH FILTERING -WARNING: if you are using the filtering functionality starting from v2.0 -upwards, beware that it has not been tested extensively yet! -Filter rules provide the possibility to display only log entries that -match a given set of rules. There can be specified one or more filter -rules using one or multiple \fB--filter\fR arguments on the command -line. All individual filter rules are related by OR. That means a log -entry will be displayed if at least one of the filter rules matches. -Within one filter rule, there can be specified multiple arguments. All -these arguments are related by AND. That means a filter rule matches a -given log entry only, if all of the filter arguments match. -.TP -.B Supported filter arguments in normal mode -.RS -- action= -.RE -.RS -- dst= -.RE -.RS -- endtime= -.RE -.RS -- orig= -.RE -.RS -- product= -.RE -.RS -- proto= -.RE -.RS -- rule= -.RE -.RS -- service= -.RE -.RS -- src= -.RE -.RS -- starttime= -.RE -.TP -.B Supported filter arguments in audit mode -.RS -- action= -.RE -.RS -- administrator= -.RE -.RS -- endtime= -.RE -.RS -- orig= -.RE -.RS -- product= -.RE -.RS -- starttime= -.RE -.TP -.B Negation of arguments -If you specify '!=' instead of '=' between name and value -of the filter argument, you can negate the name/value pair. -.TP -.B Specifying multiple argument values -You can specify multiple argument values by separating the -values by ','. -.TP -.B Specifying IP addresses as argument values -For arguments that expect IP addresses, you can specify either -a single IP address, multiple IP addresses separated by ',' or -a network address with netmask (e.g. 10.0.0.0/255.0.0.0). Currently -it's not possible to specify a network address and a single IP -address within the same filter argument. -.TP -.B Specifying multiple filter arguments -Each filter rule can exist of multiple filter arguments which have -to be separated by ';'. -.TP -.B Examples -.RS -1) display all dropped connections -.RE -.RS - --filter "action=drop" -.RE -.RS - -2) display all dropped and rejected connections -.RE -.RS - --filter "action=drop,reject" - --filter "action!=accept" -.RE -.RS - -3) display all log entries generated by rules 20 to 23 -.RE -.RS - --filter "rule=20,21,22,23" - --filter "rule=20-23" -.RE -.RS - -4) display all log entries generated by rules 20 to 23, 30 or 40 to 42 -.RE -.RS - --filter "rule=20-23,30,40-42" -.RE -.RS - -5) display all log entries to 10.1.1.1 and 10.1.1.2 -.RE -.RS - --filter "dst=10.1.1.1,10.1.1.2" -.RE -.RS - -6) display all log entries from 192.168.1.0/255.255.255.0 -.RE -.RS - --filter "src=192.168.1.0/255.255.255.0" -.RE -.RS - -7) display all log entries starting from 2004/03/02 14:00:00 -.RE -.RS - --filter "starttime=20040302140000" -.RE -.SH FILES -.I fw1-loggrabber.conf -.RS -FW1-Loggrabber configuration file -.RE -.TP -.I lea.conf -.RS -LEA configuration file -.RE -.RE -.SH AUTHORS -Torsten Fellhauer -Andrea De Pasquale -.SH BUGS -Please report bugs using the bug report functionality on -.RS -\fIhttps://github.com/certego/fw1-loggrabber/issues\fR -.RE -.SH COPYRIGHT -Copyright (c) 2003-2005 Torsten Fellhauer, Xiaodong Lin -.PP -Copyright (c) 2014-2016 CERTEGO s.r.l. -.PP -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: -.PP -1. Redistributions of source code must retain the - above copyright notice, this list of conditions - and the following disclaimer. -.PP -2. Redistributions in binary form must reproduce - the above copyright notice, this list of con- - ditions and the following disclaimer in the - documentation and/or other materials provided - with the distribution. -.PP -THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE. -.SH CREDITS -Stefan Siebert for making the start of this project possible. Xiaodong Lin -with his excellent Opsec skills for helping me in further development of -\fBfw1-loggrabber\fR.