fw audit log parsing via CLI
From cpwiki.net
Log entries and field changes are separated by semicolons in the fw.adtlog file. It is very difficult to read, even with the smartview tracker. The command line below run on the SmartCenter or from a CMA environment will output the log file in an easy to read format to terminal.
parse
fw log -ln -s "Aug 19,2013 21:45:00" -e "Aug 20,2013 23:59:00" fw.adtlog | awk -F ";" '{for (i=1; i<=NF; i++) printf $i "\n"}'
19Aug2013 21:53:01 accept 192.168.1.1 < ObjectName: test_group_object ObjectType: network_object_group ObjectTable: network_objects Operation: Modify Object Uid: {F7F0772C-0917-11E3-8A4F-ABB20701CFCF} Administrator: jsmith Machine: lab-mds FieldsChanges: test_group_object: added 'test_client'