Doing forensics with old log files in SmartLog

So you have this big outage, and management is banging at your door “ROOT CAUSE”. What is a CP geek to do?

SMARTLOG to the rescue!!!

As we know the problem with most loggers including SmartTrackeris you only get to see the forest through a small straw. SmartLog gives you the helicopter view and quickly.

SOOOOO.

SMARTLOG – Quick and Easy. How to import and load old log/tracker files into SmartLog. Quick/Dirty and Easy Peasy

  1. Setup SmartCenter R75.45 (NOTE: I was given several patches on top of that because the counters were off and and it was core dumping. You might have to call support): Ohhhh 4 CPUS, 500 gig, 8 gig of memory should be a start. VM is OK, but disk will be slow
  2. Use SmartDashboard to connect to SmartCenter and enable SmartLog01-enable.smartlog 
  3. Then go into the smartlog conf directory01-enterconfig 
  4. smartlogstop
  5. Then go into the smartlog_settings.txt basically sk73360
  6. SOOOOO. they finally fixed sk73360.  Num_days_restriction_for_fetch_all_integrated tells SmartLog how many days to go back and index log files. So 150 says go back 150 days and index those  files up to the present day.
  7. Thanks to ‘Mike” in support, we figured out that the “time_restrictions_for_fetch_all” means the date that SmartLog was installed – sk77640. Smartlog will  only index files that are created AFTER smartlog was installed. We set the “time_restric….fetch_all” to the epoch of BEFORE the log files were created and wallah, it started indexing
  8. cd $SMARTLOGDIR/data
  9. rm -rf *
  10. cd $FWDIR/log
  11. (copy all your fw.log,logptr,loginitial_ptr files and the log switches
    into this directory)
  12. smartlogstart
  13. You can tell when the index works or not by going into the $SMARTLOGDIR/log, and “tail -f  smartlog_server.log”, and you will see the read rate counters indicating the number of records it has read.  If you monitor closely it will also show you files it ignores and why.
  14. 03readrate

So I haven’t figure out all the parameters to get this to work and will soon, but for the time being this should give you enough info to do quick and dirty forensics. Check Dr.StrangeLog out for more info, good read.

NOTE: that you only get IP addresses because the names and IPs and rules numbers can’t be correlated with the objects.C database from the server you imported the log files from. You’d have to joing this SmartCenter to the domain in order for them to share the objects.C file. But what do you want for 5 hours of work?

SmartLog- awesome. Quick and Dirty.

dreez

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: