Scribd
Upload
45 views

CP R80.30 LoggingAndMonitoring AdminGuide

The document provides instructions and parameters for using the cpstat command to monitor Check Point systems and applications. Key steps include running cpstat with appropriate flags to select the application or system counters to monitor, and options to configure polling interval, count of samples, and period over which to calculate rates. Monitoring can be done on local or remote systems.

Uploaded by

Rodolfo Aviles
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
45 views

CP R80.30 LoggingAndMonitoring AdminGuide

The document provides instructions and parameters for using the cpstat command to monitor Check Point systems and applications. Key steps include running cpstat with appropriate flags to select the application or system counters to monitor, and options to configure polling interval, count of samples, and period over which to calculate rates. Monitoring can be done on local or remote systems.

Uploaded by

Rodolfo Aviles
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 159

Event

Administrator

Event Correlation

Audit Log

Event Policy

Cluster

External Network

Cluster Member
Internal Network

Configure

IPS

Cooperative Enforcement

Log
Correlation Unit

Log Server
Custom Report

Management Server

Database

Network

DLP

Policy
Software Blade

Predefined Report

Remote Access VPN


System Counter

Report
Traffic

VPN
Security Cluster

Security Gateway
VPN Tunnel

Security Management Server

Security Policy

SmartConsole

SmartEvent Server


https://<Server IP>/smartview/ <Server
IP>




















https://









https://





$RTDIR/scripts/SmartEvent_R80_change_dbsync_mode.sh
cpstart

cpconfig
(2) Administrator


 \Global




$RTDIR/scripts/SmartEvent_R80_change_dbsync_mode.sh
cpstart




$INDEXERDIR/log_indexer_custom_settings.conf

:lea_port (< >)

cpstop
$FWDIR/conf/fwopsec.conf

lea_server auth_port < >


lea_server port 0
cpstart











access_list
$RTDIR/smartview/conf





 $RTDIR/scripts/stopSmartView
 $RTDIR/scripts/startSmartView
# evstop
$INDEXERDIR/log_indexer -days_to_index
< >

days_to_index
# evstart

<log file name>.log* $FWDIR/log










https:// /smartview/









cover-company-logo.png
$RTDIR/smartview/conf










https:// /smartview/

https:// /smartview/




https:// /SmartView/



type:Session




layer_uuid_rule_uuid:*_<UID>

layer_uuid_rule_uuid:*_46f0ee3b-026d-45b0-b7f0-5d71f6d8eb10


Selecting Query Fields

Selecting Criteria from Grid Columns


Manually Entering Query Criteria

[ :]

[ :] AND|OR|NOT [ :] ...

source:<X> Source:<X>





 "John Doe"
 "Log Out"
 "VPN-1 Embedded Connector"
IP Addresses



NOT Values

NOT <field>:<value>

NOT src:10.0.4.10



Log Queries




severity
app_risk
protection
protection_type
confidence_level
action
blade product
destination dst

origin orig
service
source src

user

<field name>:<values>

rule:7.1

"Block Credit Cards"

 source:192.168.2.1
 action:(Reject OR Block)

 blade:"application control" AND action:block

 192.168.2.133 10.19.136.101

 192.168.2.133 OR 10.19.136.101

 (blade:Firewall OR blade:IPS OR blade:VPN) AND NOT action:drop

AND NOT
 source:(192.168.2.1 OR 192.168.2.2) AND destination:17.168.8.2

17.168.8.2




fwsyslog_enable

# fw ctl set int fwsyslog_enable 1

echo fwsyslog_enable=1 >> $FWDIR/modules/fwkern.conf

# fw ctl set int fwsyslog_enable 0

$FWDIR/modules/fwkern.conf
 fwsyslog_enable=0

 fwsyslog_enable

[Expert@host:0]# fw ctl get int fwsyslog_enable

[Expert@host:0]# fw -i ctl get size


fwsyslog_nlogs_counter

fwsyslog_nlogs_counter = 21

# fw ctl zdebug
# fw ctl set size fwsyslog_print_counter 1

;[cpu_2];[fw4_0];Number of logs sent from instance 0 is 43;


;[cpu_2];[fw4_0];Number of logs sent from instance 1 is 39;
;[cpu_2];[fw4_0];Number of logs sent from instance 2 is 50;
;[cpu_2];[fw4_0];Total fwsyslog_nlogs_counter = 132;

[Expert@host:0]# fw ctl get int fwsyslog_enable

[Expert@host:0]# fw -i ctl get size


fwsyslog_nlogs_counter

fwsyslog_nlogs_counter = 21

# fw ctl zdebug
# fw ctl set size fwsyslog_print_counter 1

;[cpu_2];[fw4_0];Number of logs sent from instance 0 is 43;


;[cpu_2];[fw4_0];Number of logs sent from instance 1 is 39;
;[cpu_2];[fw4_0];Number of logs sent from instance 2 is 50;
;[cpu_2];[fw4_0];Total fwsyslog_nlogs_counter = 132;






https:// /smartview/

https:// /smartview/








[seam_event_table_field]
send_snmp
$CPDIR/lib/snmp/

DisplayString

(Name: Check Point administrator credential guessing; RuleID:


{F182D6BC-A0AA-444a-9F31-C0C22ACA2114}; Uuid:
<42135c9c,00000000,2e1510ac,131c07b6>; NumOfUpdates: 0; IsLast: 0;
StartTime: 16Feb2015 16:45:45; EndTime: Not Completed; DetectionTime:
16Feb2015 16:45:48; LastUpdateTime: 0; TimeInterval: 600;
MaxNumOfConnections: 3; TotalNumOfConnections: 3; DetectedBy:
2886735150;
Origin: (IP: 192.0.2.4; repetitions: 3; countryname: United States;
hostname: theHost) ; ProductName: SmartDashboard; User: XYZ; Source:
(hostname: theHost; repetitions: 3; IP: 192.0.2.4; countryname: United
States) ; Severity: Critical; EventNumber: EN00000184; State: 0;
NumOfRejectedConnections: 0; NumOfAcceptedConnections: 0) ;


































 Any

 Any





 fw sam fw sam_policy

[Expert@MGMT:0]# sam_alert [-v] [-o] [-s <SAM Server>] [-t <Time>] [-f
<Security Gateway>] [-C] {-n|-i|-I} {-src|-dst|-any|-srv}

-v fw sam

-o

-s < >
-t < >

-f < >

-C
-n

-i
-I

-src
-dst
-any

-srv

[Expert@MGMT:0]# sam_alert -v2 [-v] [-O] [-S <SAM Server>] [-t <Time>] [-f
<Security Gateway>] [-n <Name>] [-c "<Comment">] [-o <Originator>] [-l {r |
a}] -a {d | r| n | b | q | i} [-C] {-ip |-eth} {-src|-dst|-any|-srv}

-v2
-v fw sam
-O

-S < >
-t < >

-f < >

-n < >

-c "< >"

-o < >
sam_alert
-l {r | a}

 r
 a
None
-a {d | r| n | b | q |
i}

 d
 r
 n
 b
 q
 i
-C

-ip
-eth
-src
-dst
-any

-srv
















threshold_config

threshold_config
$FWDIR/conf/thresholds.conf

threshold_config
threshold_config,

threshold_config





Configure Global Alert Settings


Configure Alert Destinations






Configure Thresholds





Completing the Configuration

cpwd_admin
cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command
"cpd_admin stop"
cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command
"cpd"
















Creating a Custom Gateway Status View

Creating a Custom Traffic View











Creating a Custom Counters View




Creating a Custom Tunnel View


Creating a Custom Users View

cpstat





















cpstat [-d] [-h <Host>] [-p <Port>] [-s <SICname>] [-f <Flavor>] [-o <Polling
Interval> [-c <Count>] [-e <Period>]] <Application Flag>

-d

-h < >

< >
localhost
-p < >

-s < >

-f < >

< > cpstat


-o <
>




-c < >

cpstat os -f perf -o 2
-c < >

-o < >

 < >

 < >

 < >

 < >

cpstat os -f perf -o 2 -c 2
-e < >

-o < >

-c < >
cpstat os -f perf -o 2 -c 2 -e 60
< >

 os
 persistency
 thresholds
threshold_config
 ci
 https_inspection
 cvpn
 fw
 vsx
 vpn
 blades
 identityServer
 appi
 urlf
 dlp
 ctnt
 antimalware
 threat-emulation
 scrub
 gx
 fg
 ha
 polsrv
 ca
 mg

 cpsemd
 cpsead
 ls
 PA
--------------------------------------------------------------
|Flag |Flavours |
--------------------------------------------------------------
|os |default, ifconfig, routing, routing6, |
| |memory, old_memory, cpu, disk, perf, |
| |multi_cpu, multi_disk, raidInfo, sensors, |
| |power_supply, hw_info, all, average_cpu, |
| |average_memory, statistics, updates, |
| |licensing, connectivity, vsx |
--------------------------------------------------------------
|persistency |product, TableConfig, SourceConfig |
--------------------------------------------------------------
|thresholds |default, active_thresholds, destinations, |
| |error |
--------------------------------------------------------------
|ci |default |
--------------------------------------------------------------
|https_inspection |default, hsm_status, all |
--------------------------------------------------------------
|cvpn |cvpnd, sysinfo, products, overall |
--------------------------------------------------------------
|fw |default, interfaces, policy, perf, hmem, |
| |kmem, inspect, cookies, chains, |
| |fragments, totals, totals64, ufp, http, |
| |ftp, telnet, rlogin, smtp, pop3, sync, |
| |log_connection, all |
--------------------------------------------------------------
|vsx |default, stat, traffic, conns, cpu, all, |
| |memory, cpu_usage_per_core |
--------------------------------------------------------------
|vpn |default, product, IKE, ipsec, traffic, |
| |compression, accelerator, nic, |
| |statistics, watermarks, all |
--------------------------------------------------------------
|blades |fw, ips, av, urlf, vpn, cvpn, aspm, dlp, |
| |appi, anti_bot, default, |
| |content_awareness, threat-emulation, |
| |default |
--------------------------------------------------------------
|identityServer |default, authentication, logins, ldap, |
| |components, adquery |
--------------------------------------------------------------
|appi |default, subscription_status, |
| |update_status, RAD_status, top_last_hour, |
| |top_last_day, top_last_week, |
| |top_last_month |
--------------------------------------------------------------
|urlf |default, subscription_status, |
| |update_status, RAD_status, top_last_hour, |
| |top_last_day, top_last_week, |
| |top_last_month |
--------------------------------------------------------------
|dlp |default, dlp, exchange_agents, fingerprint|
--------------------------------------------------------------
|ctnt |default |
--------------------------------------------------------------
|antimalware |default, scanned_hosts, scanned_mails, |
| |subscription_status, update_status, |
| |ab_prm_contracts, av_prm_contracts, |
| |ab_prm_contracts, av_prm_contracts |
--------------------------------------------------------------
|threat-emulation |default, general_statuses, update_status, |
| |scanned_files, malware_detected, |
| |scanned_on_cloud, malware_on_cloud, |
| |average_process_time, emulated_file_size, |
| |queue_size, peak_size, |
| |file_type_stat_file_scanned, |
| |file_type_stat_malware_detected, |
| |file_type_stat_cloud_scanned, |
| |file_type_stat_cloud_malware_scanned, |
| |file_type_stat_filter_by_analysis, |
| |file_type_stat_cache_hit_rate, |
| |file_type_stat_error_count, |
| |file_type_stat_no_resource_count, |
| |contract, downloads_information_current, |
| |downloading_file_information, |
| |queue_table, history_te_incidents, |
| |history_te_comp_hosts |
--------------------------------------------------------------
|scrub |default, subscription_status, |
| |threat_extraction_statistics |
--------------------------------------------------------------
|gx |default, contxt_create_info, |
| |contxt_delete_info, contxt_update_info, |
| |contxt_path_mng_info, GXSA_GPDU_info, |
| |contxt_initiate_info, gtpv2_create_info, |
| |gtpv2_delete_info, gtpv2_update_info, |
| |gtpv2_path_mng_info, gtpv2_cmd_info, all |
--------------------------------------------------------------
|fg |all |
--------------------------------------------------------------
|ha |default, all |
--------------------------------------------------------------
|polsrv |default, all |
--------------------------------------------------------------
|ca |default, all, cert, crl, user |
--------------------------------------------------------------
|mg |default |
--------------------------------------------------------------
|cpsemd |default |
--------------------------------------------------------------
|cpsead |default |
--------------------------------------------------------------
|ls |default |
--------------------------------------------------------------
|PA |default |
--------------------------------------------------------------

[Expert@MyGW:0]# cpstat -f interfaces fw

Network interfaces
--------------------------------------------------------------------------------------------------
------------------
|Name|IP |Netmask |Flags|Peer name|Remote IP|Topology|Proxy name|Slaves|Ports|IPv6
Address|IPv6 Len|
--------------------------------------------------------------------------------------------------
------------------
|eth0|192.168.30.40|255.255.255.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth1| 172.30.60.80|255.255.255.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth2| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth3| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth4| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth5| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth6| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth7| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
--------------------------------------------------------------------------------------------------
------------------

[Expert@MyGW:0]#

[Expert@MyGW:0]# cpstat -f default fw

Policy name: MyGW_Policy


Install time: Wed May 23 18:14:32 2018

Interface table
---------------------------------------
|Name|Dir|Total |Accept|Deny |Log|
---------------------------------------
|eth0|in | 2393126| 32589| 2360537| 52|
|eth0|out| 33016| 33016| 0| 0|
|eth1|in | 2360350| 0| 2360350| 0|
|eth1|out| 0| 0| 0| 0|
|eth2|in | 2360350| 0| 2360350| 0|
|eth2|out| 0| 0| 0| 0|
|eth3|in | 2348704| 0| 2348704| 1|
|eth3|out| 0| 0| 0| 0|
|eth4|in | 2360350| 0| 2360350| 0|
|eth4|out| 0| 0| 0| 0|
---------------------------------------
| | |11855896| 65605|11790291| 53|
---------------------------------------

... ... [truncated for brevity] ... ...

[Expert@MyGW:0]#

[Expert@MyGW:0]# cpstat os -f perf -o 2 -c 2 -e 60

Total Virtual Memory (Bytes): 12417720320


Active Virtual Memory (Bytes): 3741331456
Total Real Memory (Bytes): 8231063552
Active Real Memory (Bytes): 3741331456
Free Real Memory (Bytes): 4489732096
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 0
CPU System Time (%): 0
CPU Idle Time (%): 100
CPU Usage (%): 0
CPU Queue Length: -
CPU Interrupts/Sec: 135
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 61
Disk Total Free Space (Bytes): 12659716096
Disk Available Free Space (Bytes): 11606188032
Disk Total Space (Bytes): 20477751296

Total Virtual Memory (Bytes): 12417720320


Active Virtual Memory (Bytes): 3741556736
Total Real Memory (Bytes): 8231063552
Active Real Memory (Bytes): 3741556736
Free Real Memory (Bytes): 4489506816
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 3
CPU System Time (%): 0
CPU Idle Time (%): 97
CPU Usage (%): 3
CPU Queue Length: -
CPU Interrupts/Sec: 140
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 61
Disk Total Free Space (Bytes): 12659716096
Disk Available Free Space (Bytes): 11606188032
Disk Total Space (Bytes): 20477751296

[Expert@MyGW:0]#

































WinEventToCPLog


WinEventToCPLog

WinEventToCPLog
WinEventToCPLog

WinEventToCPLog -s


WinEventToCPLog
 WinEventToCPLog
C:\Program Files\CheckPoint\WinEventToCPLog\R65\bin
C:\Program files (x86)
windowEventToCPLog -pull_cert
C:\Program Files\CheckPoint\WinEventToCPLog\R65\bin
C:\Program files (x86)
GetRequest
GetNextRequest GetBulkRequest
SetReques sysContact
sysLocation sysName set








cp_log_export add name [domain-server ] target-
server target-port protocol <(udp|tcp)> format
<(syslog)|(cef)> [optional arguments]

$EXPORTERDIR/targets/ .



apply-now

cp_log_export [command-arguments]

cp_log_export help

openssl genrsa -out RootCA.key 2048

openssl req -x509 -new -nodes -key RootCA.key -days 2048 -out
RootCA.pem

Country Name (2 letter code) [AU]:US


State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:MyCity
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:MyDepartment
Common Name (e.g. server FQDN or YOUR name) []:www.company.com
Email Address []:

openssl genrsa -out log_exporter.key 2048

openssl req -new -key log_exporter.key -out log_exporter.csr

penssl x509 -req -in log_exporter.csr -CA RootCA.pem -CAkey


RootCA.key -CAcreateserial -out log_exporter.crt -days 2048 -sha256

openssl pkcs12 -inkey log_exporter.key -in log_exporter.crt -export -


out log_exporter.p12
log_exporter

mdsenv

cd $EXPORTERDIR/targets/

mkdir certs
RootCA.pem log_exporter.p12
RootCA.pem log_exporter.p12
chmod +r RootCA.pem
chmod +r log_exporter.p12
targetConfiguration.xml

openssl genrsa -out syslogServer.key 2048

openssl req -new -key syslogServer.key -out syslogServer.csr

openssl x509 -req -in syslogServer.csr -CA RootCA.pem -CAkey


RootCA.key -CAcreateserial -out syslogServer.crt -days 2048 -sha256
$EXPORTERDIR/targets/ .
EXPORTERDIR

mdsenv

$EXPORTERDIR/targets//targetConfiguration.xml
$FWDIR/log/

All [default] / log /


audit

true,

false,

<exported>true</exporte
d>)
true,
orig

escaped

elg

false

true,
syslog-ng

openssl pkcs12 -inkey syslogServer.key -in syslogServer.crt -export -out


syslog-ng.p12 -name "syslogng-alias" -password pass:changeit

ARCSIGHT_HOME/current/bin/arcsight agent keytoolgui

$ARCSIGHT_HOME/current/jre/lib/security/cacerts (password
"changeit").

Ca.pem

vi $ARCSIGHT_HOME//current/user/agent/agent.properties

syslogng.mutual.auth.enabled=false -> true

syslogng.tls.keystore.file=user/agent/syslog-ng.p12
syslogng.tls.keystore.alias=syslogng-alias
/etc/init.d/arc_connector_name restart

cat syslogServer.crt syslogServer.key RootCA.pem > splunk.pem


inputs.conf
vi /opt/splunk/etc/apps/search/local/inputs.conf
[SSL]
serverCert = /etc/ssl/my-certs/splunk.pem
sslPassword =
requireClientCert = true

[tcp-ssl:// ]
index =
server.conf
vi /opt/splunk/etc/system/local/server.conf

[sslConfig]
sslRootCAPath = /etc/ssl/my-certs/RootCA.pem

/opt/splunk/bin/splunk restart
source s_network { network(transport("tcp") port(514)
flags(syslog-protocol) ); };

 TIME_FORMAT = %s
 TIME_PREFIX = time=
 MAX_TIMESTAMP_LOOKAHEAD = 15


 

  
 

 

 

 



: (
:command (
:cmd_name (include)
:file_name ("snortPolicy.C")
)
)

:filename ("snort_dict.ini")

cpstop cpstart fwd –n


 cmd_name
 command arguments
 on_success

 on_fail

:command (
:cmd_name (try)
:try_arguments
.
.
:on_success (
:command()
)
:on_fail (
:command()
)
)
try

parse_from start_position

last_position

regexp
add_field

:command (
:cmd_name (try)
:parse_from (start_position)
:regexp ("([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)")
:add_field (
:type (index)
:field_name (Src)
:field_type (ipaddr)
:field_index (1)
)
)

([0-9]+\.[0-9]+\.[0-
9]+\.[0-9]+) parse_from (start_position)

group_try
 try_all
 try_all_successively

 try_until_success
 try_until_fail
group_try

%PIX-6-605004: Login denied from 194.29.40.24/4813 to


outside:192.168.35.15/ssh for user 'root'
:command (
:cmd_name (group_try)
:mode (try_all_successively)
:(
# A "try" command for the source.
:command ()
)
:(
# A "try" command for the destination.
:command ()
)
:(
# A "try" command for the user.
:command ()
)
.
.
.
)

group_try
try_all
try_all_successively

group_try

:command (
:cmd_name (group_try)
:mode (try_until_success)
:(
:command (
.
.
.
:regexp ("(\(|)(login|su)(\)|).* session (opened|closed) for
user ([a-z,A-Z,0-9]*)")
)
)
:(
:command (
.
.
.
:regexp ("(\(|)su(\)|).* authentication failure; logname=([a-zA-Z0-9]*).*
user=([a-zA-Z0-9]*)")
)
)
.
.
.
)

try try
until success
:cmd_name (group_try)
:mode (try_until_success)
: (
….
)

field_name

case

default

:command (
:cmd_name (switch)
:field_name (msgID)
:(
:case (302005)
:command ()
)
:(
:case (302001)
:case (302002)
:command ()
)
:default (
:command()
)
)

:command (
:cmd_name (unconditional_try)
:add_field (
:type (const)
:field_name (product)
:field_type (string)
:field_value ("Antivirus")
)
)

unconditional_try
message
:command (
:cmd_name (switch)
:field_name (msgID)
(
:case (106017)
:command (
:cmd_name (unconditional_try)
:add_field (
:type (const)
:field_name (message)
:field_type (string_id)
:field_value ("LAND Attack")
)
)
)
:(
:case (106020)
:command (
:cmd_name (unconditional_try)
:add_field (
:type (const)
:field_name (message)
:field_type (string_id)
:field_value ("Teardrop Attack")
)
)
)
.
.
.
)

file_name

:command (
:cmd_name (include)
:file_name ("c:\freeTextParser\device\antivirusPolicy.C")
)
add_field
 add_field
 field_index
field_index

field_value
Field_name

Src
Dst
proto
s_port
product
service

Action
ifname
User

Field_type

int
uint
string
ipaddr
pri
timestmp

time
string_id
action

ifdir

ifname
protocol
port

Src
Dst
proto
s_port
service
Action
ifname

 field_index field_value
field_index field_value
field_index

field_index
:command (
:cmd_name (try)
:parse_from (last_position)
:regexp ("Failed password for ([a-zA-Z0-9]+) from
([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) port ([0-9]+)")
:add_field (
:type (index)
:field_name (User)
:field_type (string)
:field_index (1)
)
:add_field (
:type (index)
:field_name (Src)
:field_type (ipaddr)
:field_index (2)
)
:add_field (
:type (index)
:field_name (port)
:field_type (port)
:field_index (3)
)
)

[a-zA-Z0-9]+
field_index [0-9]+\.[0-9]+\.[0-9]+\.[0-
9]+

on_success
:command (
:cmd_name (try)
:parse_from (start_position)
:regexp ("access-list (.*) (permitted|denied|est-allowed)
([a-zA-Z0-9_\([a-zA-Z0-9_\\.[0-9]+\.[0-9]+\.[0-9]+)\(([0-9]*)\) -> ")
:add_field (
:type (index)
:field_name (listID)
:field_type (string)
:field_index (1)
)
:add_field (
:type (index)
:field_name (action)
:field_type (action)
:field_index (2)
)
:add_field (
:type (index)
:field_name (proto)
:field_type (protocol)
:field_index (3)
)
:add_field (
:type (index)
:field_name (ifname)
:field_type (ifname)
:field_index (4)
)
:add_field (
:type (index)
:field_name (Src)
:field_type (ipaddr)
:field_index (5)
)
:on_success (
:command (
:cmd_name (try)
:parse_from (last_position)
:regexp
("([a-zA-Z0-9_\\.[0-9]+\.[0-9]+\.[0-9]+)\(([0-9]*)\) hit-cnt ([0-9]+) ")
:add_field (
:type (index)
:field_name (destination_interface)
:field_type (string)
:field_index (1)
)
)
)
)

field_value
:command (
:cmd_name (try)
:parse_from (last_position)
:regexp ("%PIX-([0-9])-([0-9]*)"))
:add_field (
:type (const)
:field_name (product)
:field_type (string_id)
:field_value ("CISCO PIX")
)
)
Dict_name
.ini ini

[dictionary_name]
Name1 = val1
Name2 = val2
cisco_action] [3com_action]
permitted = accept Permit = accept
denied = reject Deny = reject

:command (
:cmd_name (try)
:parse_from (start_position)
:regexp ("list (.*) (permitted|denied) (icmp)
([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) -> ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* packet")
:add_field (
:type (index)
:field_name (action)
:field_type (action)
:field_index (2)
:dict_name (cisco_action)

You might also like