A lot of multi-layer firewall environments use a diversity of firewall types. This usually means that you have seperate reporting systems for each firewall product.
Firewall-1 has been around for quite a while now and has a large customer base. The original fwlogsum script was developed at the beginning of 1996 when Firewall-1 had a huge slice of the commercial firewall market. Over time, some of the other firewall products have gained a slice of the market that Firewall-1 used to enjoy.
While all firewalls have some form of reporting, obviously some are better than others. Commercial products like WebTrends have filled some of the gaps for reporting needs (although you still have to pay for it of course).
It must be said that Firewall-1 logging mechanisms/formats leave alot to be desired, but at least the log export format is reasonably consistent.
I decided to write some converters to enable people to get a common report of their firewall activity. A word of caution though. Not all firewall logs are directly translatable to FW1 logexport format. There is a certain amount of information that doesn't fit the standard allow/deny category, however they tend to be the exception rather than the rule. Most people just want to know what is being allowed through the firewall and what is being denied.
Once you have unpacked the files, you need to copy the converters in the C2FW1 directory to an appropriate location.
This could be a common place like /usr/local/lib or you could just create a specific directory for the c2fw1.pl script and the converters, like /usr/local/c2fw1
Once you have decided on the location, edit the c2fw1.pl script and set the values in the configuration section.
To convert a log file, you use the c2fw1.pl script the appropriate arguments. The c2fw1.pl script provides a consistent interface and uses one of the available conversion modules.
You must specify an input log file, an output file and a converter. You can use - to specify STDIN for the input log file and STDOUT for the output file. If you have defined the $gzip variable in the script, it will automatically detected compressed log files.
Some Examples:
c2fw1.pl --input /tmp/asa.log --output /tmp/asa.fwlogexport --converter asa sed 's/some pattern//g' /tmp/asa.log | c2fw1.pl --input - --output /tmp/asa.fwlogexport --converter asa c2fw1.pl --verbose --input /tmp/asa.log.gz --converter asa --output - | gzip -c /tmp/asa.fwlogexport.gz
The full usage is:
Usage: ./c2fw1.pl [-v] [-c] [-i ] [-l ] [-o ] -c --converter Name of converter -i --input Input logfile -l --lines Report progress every specified no of lines (Default: 100) -o --output Converted output file -v --verbose Verbose output
The current list of converters (specified with the -c or --converter flag) is:
Each module can be invididually downloaded, or you can download the complete collection:
This converter is now at a stage where a reasonable level of confidence in the results can be given. However, as it is very difficult to test all the various combinations of the inconsistent ASA log format, it is impossible to say it is 100% accurate.
Version 2.0.0 - (Updated: 22 April 2013)
This converter is for Checkpoint VPN-1 UTM Edge logs. It's still new, so there may be some minor issues with it.
Version 1.0.0 - (Updated: 15 January 2007)
The Fortigate converter was kindly provided by Shinichi Motomura. It was tested against Fortigate version 2.8.
Version 1.0.0 - (Updated: 21 December 2006)
Netscreen (and other firewall products) can output to WELF log format, but WELF is not very well suited to firewall logs. This converter is for Netscreen native log format. It should work with Netscreen 3.x, 4.x and 5.x logs
Version 1.0.0 - (Updated: 15 July 2004)
Netfile/iptables output doesn't have defined log fields for accept/deny entries as it uses a user defined log prefix. For this reason, these prefixes must be defined in the netfilter.pm file.
Version 1.0.0 - (Updated: 11 April 2003)
Version 1.0.0 - (Updated: 7 Jan 2002)
NOTES: The ICF format does not have a concept of firewall host, interface or rule number. It does provide a byte count, so the converted log is in FW1 account log format.This converter is for Stonegate CSV logs.
Version 1.0.0 - (Updated: 22 September 2003)
The WELF format shows the WebTrends origins of creating reporting software for web servers. There is certain information like: protocol type, action, source port and xlated addresses/ports that are not logged. However, it should provide enough information to be useful.
The WELF specs are available at www.webtrends.com/library/prtnr_welf.doc
Version 1.0.2 - (Updated: 10 Jan 2002)
22 April 2013
Version 2.0.0 of asa.pm released now that PIX hardware is end of life.
5 October 2007
Version 1.5.2 of pix.pm released to fix the regex that wasn't correctly recognising PIX entries (ASA was OK).
15 January 2007
Version 1.0.0 of cpedge.pm released.
12 December 2006
Version 1.5.1 of pix.pm released to fix bugs in accounting logs and parsing source/dest IP addresses.
7 December 2006
Version 1.5.0 of pix.pm released to handle ASA logs.
15 July 2004
Version 1.0.0 of netscreen.pm released to handle Netscreen version 5.x logs.
18 February 2004
Version 1.3.0 of pix2fw1 released. This version recognises PIX-5-106100: access-list
22 September 2003
Version 1.2.0 of c2fw1.pl released. This was to add stonegate support. Also notice the name change. This was required as the on Windows (or any case insensitive systems), the modules directory was the same name as the script.
17 June 2003
Version 1.1.1 of c2fw1 released. This is a minor bug fix (along with common.pm) to allow it to work with the Netscreen module.
1 June 2003
Version 1.3.0 of pix.pm module released. This update contains a large range of new matches for PIX6.2 logs. A big thanks to Peter van Oosterom for his contribution.
15 April 2003
Version 1.2.0 of pix2fw1 released. This version recognises PIX name field available in PIX6.3 onwards.
Also, thanks to Gilbert Vaissiere for his improvements which include the following:
11 April 2003
Version 1.1.0 of c2fw1 and version 1.0.0 of netfilter.pm is released. The netfilter module is new and the c2fw1 has had minor updates for this module.
27 March 2003
Version 1.1.1 of pix.pm module released. More tweaks to match various syslog formats.
17 March 2003
Version 1.1.0 of pix.pm module released. Recognises yet another syslog format varation.
13 March 2003
Version 1.0.2 of c2fw1 released. Fixed a bug from version 1.0.1 that caused the message about the missing modules to always appear.
8 March 2003
Version 1.0.1 of c2fw1 released. Only change is to output a nicer message if the modules can not be found.
12 February 2003
Modularised all the conversion scripts and created c2fw1
11 February 2003
Version 1.0.0 of pix2fw1 released. Huge thanks to Gilbert Vaissiere for his improvements which include the following:
10 January 2003
Version 0.9.0 of netscreen2fw1 is released.
18 October 2002
Version 0.9.0 of pix2fw1 released. This version is much more complete and should give reasonable results.
10 January 2002
Version 1.0.2 of welf2fw1 to fix a bug where received packets weren't included in the byte count.
7 January 2002
Version 1.0.0 of cf2fw1 released.
20 December 2001
Bugfix to welf2fw1 to cater for syslog entries and ensure the correct number of fields exist for fwlogsum.
18 October 2001
Version 1.0.0 of welf2fw1 released.
4 October 2001
Pre alpha version of pix2fw1i publically released.