log export
Web /smartview/
Access https://mgmtip/smartview
API (newest/best)
mgmt_cli show-logs new-query.filter product:<product name> new-query.time-frame <time-frame> new-query.max-logs-per-request <limit>
https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-logs~v1.8%20
mgmt_cli show logs
mgmt_cli show logs new-query.time-frame "today" new-query.max-logs-per-request "2" new-query.filter "blade:\"Threat Emulation\"" --format json
mgmt_cli show logs query-id "aa_be383957-9167-4ca3-b101-a25bc0fbec1c" --format json
mgmt_cli show logs new-query.top.field "blades" new-query.top.count "10" --format json
OLDER
CPLogFilePrint $FWDIR/log/fw.log
OLDEST
On R8X Security Management Server / Multi-Domain Security Management Server:
[Expert@HostName:0]# fw log -V
[Expert@HostName:0]# fw [-d] log [-f | -t] [-x start_pos] [-y end_pos] [-z] [-n] [-p] [-l] [-o] [-g] [-v] [-w] [-H] [-S] [-q] [-i] [-c action] [-#] [-h host] [-s start_time] [-e end_time] [-b start_time end_time] [-k alert_type | all] [-a] [-u unification_scheme_file] [-m initial | semi | raw] [log_file]
On R7X Security Management Server / Multi-Domain Security Management Server:
[Expert@HostName:0]# fw log -V
[Expert@HostName:0]# fw [-d] log [-f | -t] [-x start_pos] [-y end_pos] [-z] [-n] [-p] [-l] [-o] [-g] [-v] [-w] [-c action] [-#] [-h host] [-s starttime] [-e endtime] [-b starttime endtime] [-k alert_type | all] [-a] [-u unification_scheme_file] [-m initial | semi | raw] [log_file]
Where:
| Parameter | Description |
|---|---|
| -d | Debug mode. |
| -V | Prints the version. |
| -f | Only in case of active log file: Upon reaching the end of the file, specifies to wait for new records and exports them, as well. |
| -t | Same as “-f” flag, only starts at the end of the log file. |
-x <start_pos> | Specifies the start position in the log file, from which to start the display. |
-y <end_pos> | Specifies the end position in the log file, at which to end the display. |
| -z | Specifies to continue displaying the next records if there is an error (e.g., wrong field expected value). Default is to stop exporting. |
| -n | Specifies not to resolve IP addresses in the log entries. Default is to resolve all IP addresses. |
| -p | Specifies not to resolve ports in the log entries. Default is to resolve all ports. |
| -l | Specifies to show full date and time per log record. Default is to show the date above the relevant records, and then the time per log record. Date format is: “MMM DD, YYYY HH:MM:SS” (e.g., “May 26, 1999 14:20:00”). |
| -o | Specifies to show detailed log chains. |
| -g | Specifies to display the log entries in a non-delimited style. Default delimiter after a field name is colon “:”. Default delimiter after a field value is semi-colon “;”. |
| -v | Specifies to print the UUID of each log entry. |
| -w | Specifies to print the flags of each log entry (different bits used to specify the “nature” of the log, e.g., audit, accounting, complementary, etc.) |
| -H | On R8X: Specifies to print the High Level Log key. |
| -S | On R8X: Specifies to print the Sequence Number. |
| -q | On R8X: Specifies to show the names of log header fields. |
| -i | On R8X: Specifies to show the log UID. |
-c <action> | Selection by action: accept, drop, reject, encrypt, decrypt, vpnroute, keyinst, authorize, deauthorize, authcrypt |
Notes: Control actions are always displayed for ‘ctl’ (Control) logs, select by ’ ’ (=NULL_ACTION) for ’login’ action, select by ‘authcrypt’
| Parameter | Description |
|---|---|
| -# | Specifies to print confidential logs in clear text. |
-h <host> | Selection of logs from the specified Security Gateway / Cluster Member (as IP address or object name). |
-s <start_time> | Selection of logs by start time. All records after the given time will be selected. Date format is: “MMM DD, YYYY HH:MM:SS” (e.g., “May 26, 1999 14:20:00”). Note: This flag can not be used together with the “-b” flag. |
-e <end_time> | Selection of logs by end time. All records before the given time will be selected. Date format is: “MMM DD, YYYY HH:MM:SS” (e.g., “May 26, 1999 14:20:00”). Note: This flag can not be used together with the “-b” flag. |
-b <start_time> <end_time> | Selection of logs by time range. Start time and End time are expected after the flag. Date format is: “MMM DD, YYYY HH:MM:SS” (e.g., “May 26, 1999 14:20:00”). Note: This flag can not be used together with “-s” flag and/or “-e” flag. |
| -k alert_type | all | Selection of logs by specific alert type: alert, user_alert, user_auth, mail, snmp_trap, spoof. Default is “all” for any alert type. |
| -a | Selection of account records only. Default is to print all records. |
-u <unification_scheme_file> | Specifies the unification scheme file name. Default is $FWDIR/conf/log_unification_scheme.C. |
| -m initial | semi | raw | Specifies the unification mode: initial-order, semi-unified, or raw. Default is “initial”. Notes: “initial” - Specifies complete unification of log records. That is, outputs one unified record for each ID. When used together with “-f”, no updates will be displayed, but only entries relating to the start of new connections. To display updates, use the “semi” parameter. “semi” - Specifies step-by-step unification. That is, for each log record, outputs a record that unifies this record with all previously-encountered records with the same ID. “raw” - Specifies to show all records, without any unification. |
| log_file | Specifies the log file. Default is the active log file $FWDIR/log/fw.log. |
Notes:
It is possible to specify a date only in the format MMM DD, YYYY.
[Expert@HostName:0]# fw log -s "May 26, 1999"
It is possible to specify time only in the format HH:MM:SS (if only the time is specified, the current date is assumed).
[Expert@HostName:0]# fw log -f -s 16:00:00