David Waugh

LUA Parser to detect and alert if CheckPoint logs are falling behind

Discussion created by David Waugh Employee on May 17, 2016
Latest reply on Apr 19, 2017 by David Waugh

I have written a LUA parser that will detect if you are falling behind with your Check Point log collection.

 

Prerequisites are:

 

Change the header number 02 in the Check Point parser. (I have attached the modified checkpoint parser to this case)

 

<HEADER

                id1="0002"

                id2="0002"

                devts="MDYTS(hmonth,hday,hyear,htime)"

                content="&lt;hmonth&gt; &lt;hday&gt; &lt;hyear&gt; &lt;htime&gt; %CHKPNT-&lt;hlevel&gt;-&lt;messageid&gt;: &lt;!payload&gt;" />

 

I basically change month, day,year and time in this header to hmonth, hday,hyear and htime.

The reason for this is that I need them in text.

 

Add the following to you table-map-custom.xml file

 

<!- BEGIN Check Point Date Time Header Fields -->

  <mapping envisionName="hyear" nwName="hyear" flags="None" format="Text"/>

  <mapping envisionName="hmonth" nwName="hmonth" flags="None" format="Text"/>

  <mapping envisionName="hday" nwName="hday" flags="None" format="Text"/>

  <mapping envisionName="htime" nwName="htime" flags="None" format="Text"/>

  <mapping envisionName="fld49" nwName="fld49" flags="None" format="Text" />

<!- END Check Point Date Time Header Fields -->

 

Add the following to your index-concentrator-custom.xml files

<key description="Seconds Delay"  level="IndexValues" name="seconds.delay" format="UInt32" defaultAction="Open" valueMax="10000" />

<key description="Event Time String" level="IndexValues" name="event.time.str" format="Text" valueMax="2500000"/>

 

Set up your timestamp feed as detailed in the post below.

 

A typical checkpoint message might look something like this

 

May 17 2016 08:59:47: %CHKPNT-6-060020: accept,192.168.202.243,inbound,eth1,192.168.200.200,45314,54.152.120.25,443,https,tcp,8,7373,0:00:01, , , , , , , , , , , , , , ,6039,1334, , , , , ,17May2016 8:59:47,1,VPN-1 & FireWall-1, , , , , , , , , , ,17May2016 8:59:26,17May2016 8:59:27,20,9,11,11,9,1334,6039,eth1,eth0,eth0,eth1,0,0,0, , , , , ,060020, , , , , , , , , , , , , , , ,{F73441C3-A91E-4603-914C-890BBBCFB32A}, , , , ,

 

We compare the difference between the time in the message and the time in the header field. These are highlighted in red.

 

If the difference is greater than 5 seconds we create an alert "WARNING Checkpoint: Processing Delayed"

If the difference is greater than 10 seconds we create an alert "CRITICAL Checkpoint: Processing Delayed"

 

These are configurable in the lua parser and are probably too sensitive for a production environement.

 

The amount of delay is written into the new meta key "seconds.delay"

 

The parser should be placed in /etc/netwitness/ng/parsers on your logdecoder.

 

Notes:

- I only look at certain checkpoint message ID's.

- Comment the nw.logInfo lines with -- in front of them to disable debugging.

-If your header and log times are in different timezones - you will need to add or subtract multiple of 3600 seconds to the HeaderEpochTime or EventEpochTime variables so that you are comparing times in the same timezones.

 

checkpoint-delay.jpg

 

NOTE: Updated Version 2 of Parser attached below:

Outcomes