Update: My guys are telling me that loggrabber is faulting because there are new fields in the log records that loggrabber does not know about. I think it was the ‘user’ field or something to do with application control. They debugged it and recoded it to get it working.
================================
Do you need to grab logs from SmartTracker so you can do analysis? fw1-loggrabber to the rescue! An oldtime tool that really works well.
In my career I have setup fw1-loggrabber about about 3x, and everytime I forget what goes where and what DN’s to use. Especially in a P1/MDM environment it gets somewhat confusing because the DMS and the DLS are on two different platforms. Also the documentation is old and confusing because here are SOOOOO many damn versions and SIC protocols. Ugh.
Here is the magic ju-ju so I never forget again! On R75.46 anyways (Oh yeah, don’t forget to never upgrade to R76 or R77, you will die a slow death)
You have to setup SIC with the DMS, and pull logs from the DLS. Seems simple, but the DN’s get a little tricky.
First on your DMS, setup an OPSEC client that is the middle man between the Unix fw1-loggrabber and the DMS/DLS:
It should look something like this ( I had to remove proprietary info).
Save the SIC password. Push databases to the DMS and the DLS.
Then go to the DMS and get a list of all the valid SIC certs and write them all down. Specifically the loggrabber, DLS and the DMS ones
- mdsenv DMS1
- cpca_client lscert -kind SIC -stat Valid
Then go to your fw1-lograbber Unix client and establish SIC and get the public cert of the DMS1 IP address 10.2.1.101 and the OPSEC LEA agent name. Both of these queries go to the DMS. Turn on the debug.
- ./opsec_putkey -debug -p vpn123 10.2.1.101
- ./opsec_pull_cert -p vpn123 -h 10.2.1.101 -n LEA-Loggrabber -d
This file should be put into your local directory: opsec.p12
From the above diagram, create your LEA config, lea.conf . I showed you what CN’s to use here. I also use full path names. I use sslca and it works by default so you can ignore all those other protocols.
You should be ready to execute the fw1-loggrabber on your Unix machine, pull from the DLS. I use the debug switch to make sure things are working OK.
fw1-loggrabber --debug-level 3
So be a little careful on a MLM. If you have your logs going there and you have Tufin extracting logs and you have SEIM like (god help you) RSA Envision sucking logs and you decide to put this on your MLM, then your log servers are going to be REALLY BUSY!!! LEA sucks a lot of disk and CPU. So make sure your log server has lots of CPU.
And Dreez Says to His People: Go Forth and Grab Logs!
over and out,
dreez