Difference between revisions of "Check Point man pages (R75): fw log"
(Created page with "'''fw log''' '''Description''' fw log displays the content of Log files. '''Usage''' fw log [-f [-t]] [-n] [-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime] [-b st...") |
Revision as of 16:13, 9 May 2013
fw log
Description fw log displays the content of Log files.
Usage fw log [-f [-t]] [-n] [-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime] [-b starttime endtime] [-u unification_scheme_file] [-m unification_mode(initial|semi|raw)] [-a] [-k (alert_name|all)] [-g] [logfile]
Syntax
Argument | Description |
---|---|
-f [-t] | After reaching the end of the currently displayed file, do
not exit (the default behavior), but continue to monitor the Log file indefinitely and display it while it is being written. The -t parameter indicates that the display is to begin at the end of the file, in other words, the display will initially be empty and only new records added later will be displayed. -t must come with a -f flag. These flags are relevant only for active files. |
-n | Do not perform DNS resolution of the IP addresses in the
Log file (the default behavior). This option significantly speeds up the processing. |
-l | Display both the date and the time for each log record (the
default is to show the date only once above the relevant records, and then specify the time per log record). |
-o | Show detailed log chains (all the log segments a log
record consists of). |
-c action | Display only events whose action is action, that is, accept,
drop, reject, authorize, deauthorize, encrypt and decrypt. Control actions are always displayed. |
-h host | Display only log whose origin is the specified IP address
or name. |
-s starttime | Display only events that were logged after the specified
time (see format below). starttime may be a date, a time, or both. If date is omitted, then today's date is assumed. |
-e endtime | Display only events that were logged before the specified
time (see format below). endtime may be a date, a time, or both. |
-b starttime endtime | Display only events that were logged between the
specified start and end times (see format below), each of which may be a date, a time, or both. If date is omitted, then today's date is assumed. The start and end times are expected after the flag. |
-u Unification scheme file name. | unification_scheme_file |
-m unification_mode | This flag specifies the unification mode.
initial - the default mode, specifying complete unification of log records; that is, output one unified record for each id. This is the default. When used together with -f, no updates will be displayed, but only entries relating to the start of new connections. To display updates, use the semi parameter. semi - step-by-step unification, that is, for each log record, output a record that unifies this record with all previously-encountered records with the same id. raw - output all records, with no unification. |
-a | Output account log records only. |
-k alert_name | Display only events that match a specific alert type. The
default is all, for any alert type. |
-g | Do not use a delimited style. The default is:
: after field name ; after field value |
logfile | se logfile instead of the default Log file. The default
Log File is $FWDIR/log/fw.log. |
Where the full date and time format is: MMM DD, YYYY HH:MM:SS. For example: May 26, 1999 14:20:00
It is possible to specify date only in the format MMM DD, YYYY, or time only, in the format: HH:MM:SS, where time only is specified, the current date is assumed.
Example
fw log fw log | more fw log -c reject fw log -s "May 26, 1999" fw log -f -s 16:00:00
Output [<date>]
Each output line consists of a single log record, whose fields appear in the format shown above.
Example
14:56:39 reject jam.checkpoint.com >daemon alert src: veredr.checkpoint.com; dst: jam.checkpoint.com; user: a; rule: 0; reason: Client Encryption: Access denied - wrong user name or password ; scheme: IKE; reject_category: Authentication error; product: Security Gateway 14:57:49 authcrypt jam.checkpoint.com >daemon src: veredr.checkpoint.com; user: a; rule: 0; reason: Client Encryption: Authenticated by Internal Password; scheme: IKE; methods: AES- 256,IKE,SHA1; product: Security Gateway; 14:57:49 keyinst jam.checkpoint.com >daemon src: veredr.checkpoint.com; peer gateway: veredr.checkpoint.com; scheme: IKE; IKE: Main Mode completion.; CookieI: 32f09ca38aeaf4a3; CookieR: 73b91d59b378958c; msgid: 47ad4a8d; methods: AES-256 + SHA1, Internal Password; user: a; product: Security Gateway;