You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "Bas van de Lustgraaf (JIRA)" <ji...@apache.org> on 2016/11/03 16:10:59 UTC
[jira] [Updated] (METRON-537) Create CheckPoint Firewall LEA parser
[ https://issues.apache.org/jira/browse/METRON-537?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bas van de Lustgraaf updated METRON-537:
----------------------------------------
Description:
Parse checkpoint firewall logs. The format is as below:
{code}loc=2352554|time=2016-11-03 16:58:31|action=accept|orig=10.10.10.10|i/f_dir=inbound|i/f_name=wqa78|has_accounting=0|uuid=<587a8ea7,00000003,7c898bc0,c0045800>|product=VPN-1 & FireWall-1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={440955DA-24D0-BE4E-A15A-D463D23784E0};mgmt=cp-sc;date=1478185265;policy_name=fw_policy]|src=192.168.2.1|s_port=53939|dst=1.1.1.9|service=3128|proto=tcp|rule=53|origin_sic_name=CN=na-fw1,O=domain.com.er5n2u|rule_uid={0CABE198-6E0D-44FF-A201-4F38EF72A146}|rule_name=dmz-prod|service_id=tcp-3128{code}
Currently I have a working CheckPoint LEA parser (not production ready) that I can share so we can finish it together...
Although, it might be a better idea to invest time in developing a General Key/Value parser, since the CheckPoint LEA format is k=v|k=v|k=v.
Let me know.
was:
Parse checkpoint firewall logs. The format is as below:
loc=2352554|time=2016-11-03 16:58:31|action=accept|orig=10.10.10.10|i/f_dir=inbound|i/f_name=wqa78|has_accounting=0|uuid=<587a8ea7,00000003,7c898bc0,c0045800>|product=VPN-1 & FireWall-1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={440955DA-24D0-BE4E-A15A-D463D23784E0};mgmt=cp-sc;date=1478185265;policy_name=fw_policy]|src=192.168.2.1|s_port=53939|dst=1.1.1.9|service=3128|proto=tcp|rule=53|origin_sic_name=CN=na-fw1,O=domain.com.er5n2u|rule_uid={0CABE198-6E0D-44FF-A201-4F38EF72A146}|rule_name=dmz-prod|service_id=tcp-3128
Currently I have a working CheckPoint LEA parser (not production ready) that I can share so we can finish it together...
Although, it might be a better idea to invest time in developing a General Key/Value parser, since the CheckPoint LEA format is k=v|k=v|k=v.
Let me know.
> Create CheckPoint Firewall LEA parser
> -------------------------------------
>
> Key: METRON-537
> URL: https://issues.apache.org/jira/browse/METRON-537
> Project: Metron
> Issue Type: New Feature
> Reporter: Bas van de Lustgraaf
> Priority: Minor
> Labels: parser
>
> Parse checkpoint firewall logs. The format is as below:
> {code}loc=2352554|time=2016-11-03 16:58:31|action=accept|orig=10.10.10.10|i/f_dir=inbound|i/f_name=wqa78|has_accounting=0|uuid=<587a8ea7,00000003,7c898bc0,c0045800>|product=VPN-1 & FireWall-1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={440955DA-24D0-BE4E-A15A-D463D23784E0};mgmt=cp-sc;date=1478185265;policy_name=fw_policy]|src=192.168.2.1|s_port=53939|dst=1.1.1.9|service=3128|proto=tcp|rule=53|origin_sic_name=CN=na-fw1,O=domain.com.er5n2u|rule_uid={0CABE198-6E0D-44FF-A201-4F38EF72A146}|rule_name=dmz-prod|service_id=tcp-3128{code}
> Currently I have a working CheckPoint LEA parser (not production ready) that I can share so we can finish it together...
> Although, it might be a better idea to invest time in developing a General Key/Value parser, since the CheckPoint LEA format is k=v|k=v|k=v.
> Let me know.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)