CheckPoint firewall decoding not working
172 views
Skip to first unread message
Tekletsadik Tadesse (Tekle's Funny Channel)
Jan 17, 2023, 8:06:43 AM1/17/23
to Wazuh mailing list
The log format is as bellow, can any one help me how to decode it?
472 0.501936779 172.0.0.0 → 172.0.0.0 Syslog 1124 LOCAL0.INFO: 1 2023-01-17T12:56:42Z fff-SMS CheckPoint 3456 - [action:"Drop"; flags:"395524"; ifdir:"inbound"; ifname:"eth2"; logid:"0"; loguid:"{0x63c69a5c,0xda,0x30814ac,0x6c88d80}"; origin:"172.0.0.0"; originsicname:"CN=fff-GW02,O=fff-SMS.insa.gov.et.sfjkwp"; sequencenum:"91"; time:"1673960202"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={ACB6C17B-84DB-C840-A219-64D4AB4BAE21};mgmt=fff-SMS;date=1673867581;policy_name=Standard\]"; dst:"37.0.0.0"; inzone:"Internal"; layer_name:"Network"; layer_uuid:"b406b732-2437-4848-9741-6eae1f5bf112"; match_id:"5"; parent_rule:"0"; rule_action:"Drop"; rule_name:"Cleanup rule"; rule_uid:"3bb62c4d-97e2-4b68-bde9-e2027b439332"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"56490"; service:"1433"; service_id:"MS-SQL-Server"; src:"172.0.0.0"; log_link:"https://172.0.0.0/smartview/#external-nav%3DOpenLogCard&domain-id%3D41e821a0-3720-11e3-aa6e-0800200c9fde&args%3DbWFya2VyPUBBQEBCQDE2NzM5NTMzNjlAQ0A0NDEwMzQxJm9yaWdfbG9nX3NlcnZlcl9pZD01MTlkZjA4ZC0zZWNlLTU4NDItOTM4My0xYjg1MTI3ZjhiNjY%3D"]\n
Mariano Koremblum
Jan 17, 2023, 9:12:45 AM1/17/23
to Wazuh mailing list
Hi Tekle,
Did you take this log example from the source or from Wazuh's archives file?
Mariano Koremblum
Did you take this log example from the source or from Wazuh's archives file?
I will be waiting for your reply,
Mariano Koremblum
Tekletsadik Tadesse (Tekle's Funny Channel)
Jan 25, 2023, 4:32:59 AM1/25/23
to Wazuh mailing list
hello
mariano,
I get the above log when i use <tshark -i ens1> command in order to know the Checkpoint firewall log is coming or not, here it is coming,
But, nothing is there in my log archive and alerts </var/ossec/logs/archives/archives.log>
Great Respect;
Mariano Koremblum
Jan 30, 2023, 9:21:26 AM1/30/23
to Wazuh mailing list
Hi Tekle,
So your problem seems to be that you are not receiving the logs from a remote device, right?
Could you please share with us you remote configuration located on the ossec.conf file?
I will be waiting for your reply,
Mariano Koremblum
Tekletsadik Tadesse (Tekle's Funny Channel)
Jan 31, 2023, 1:11:31 AM1/31/23
to Wazuh mailing list
This is my ossec.conf
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>firewall-ip</allowed-ips>
</remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>firewall-ip</allowed-ips>
</remote>
Mariano Koremblum
Jan 31, 2023, 11:52:52 AM1/31/23
to Wazuh mailing list
Did you restart your manager after applying the configuration?
Do you get to see any error or warning related to the remote port opening on the /var/ossec/logs/ossec.log file?
Reply all
Reply to author
Forward
0 new messages