certego/fw1-loggrabber

loc field missing

Closed this issue · 11 comments

sumanar commented

I miss the previously picked 'loc' field in v2 of fw1-loggrabber.
For e.g.:
This is log grabbed by fw1-loggrabber-v1:
loc=1234567|time=2015-12-07 05:08:08|orig=127.0.0.1|i/f_dir=inbound|has_accounting=0|uuid=<00000000,00000000,00000000,00000000>|product=Syslog

This is log grabbed by fw1-loggrabber-v2:
time=2015-12-07 05:08:08|orig=127.0.0.1|i/f_dir=inbound|has_accounting=0|uuid=<00000000,00000000,00000000,00000000>|product=Syslog

The Number field i.e. 'loc' field is no more grabbed. This is making me difficult to search logs. Can we have a fix for this?

Thank you for your time.

adepasquale commented

@sumanar what is the content of the loc field?

sumanar commented

@adepasquale According to code in fw1-loggrabber-v.1:
the loc header field value = lea_get_record_pos (pSession) - 1
The FIELDS on fw1-loggrabber.conf too understood loc field. Please let me know if fw1-loggrabber team decides to generate this field.
Thank you.

adepasquale commented

Unfortunately I cannot find that field in the most up-to-date documentation. I will need to further investigate the v1 source code.

adepasquale commented

@sumanar is loc simply an incremental counter, i.e. the position of the record in the log file?

sumanar commented

loc field is a return value from lea_get_record_pos method of opsec.
/*Retuns the number of the next log record*/ DLLIMP int lea_get_record_pos(OpsecSession *session);

According to OPSEC SDK 6.0 Documentation for LEA, this is

the ordinal number of the next log record to be read in the current log file.

P.S.:
I hope it is okay if i customize fw1-loggrabber for my purpose and add this field for myself. (If we do not need this field on fw1-loggrabber)

Thank you.

adepasquale commented

I hope it is okay if i customize fw1-loggrabber for my purpose and add this field for myself. (If we do not need this field on fw1-loggrabber)

Sure it is, feel free to make a pull request.

Deleted user commented

is this currently implemented?

adepasquale commented

I don't think so, let's ask @sumanar for any news.

sumanar commented

No. This is not added to new fw1loggraber.

sumanar commented

@adepasquale I have added code to fetch 'loc' field on fw1-loggrabber.c file. Please create a branch for me so that i can commit my changes on that branch (and send you a pull request too).

adepasquale commented

Thanks! Just create your fork with a custom branch and submit a pull request from there 😄