5 Replies Latest reply on Mar 29, 2012 5:15 PM by sliedl

    Report of Source-Geo for Rule

    Arshad

      Hi , I want to extract a report of a particular rule from external to Internal which can show source IP Location . Kindly help

        • 1. Re: Report of Source-Geo for Rule
          sliedl

          $>  acat -w1 -e "rule_name 'Your rule' and srcburb external" | egrep "src_geo|srcip" | less

           

          That will give you all audits from rule_name 'Your rule' originating from the external burb, which then pulls out only the lines with src_geo and srcip in them and displays them to your screen.

          • 2. Re: Report of Source-Geo for Rule
            Arshad

            Dear Sliedl,

             

            Thanks for your answer. I want to ask if this output is of today ? How can I confirm that this output is of how much duration? May I get the same output with date and Month ?

            Because my requirement is that I want to trace the hits on this external to internal rule with date and month.Kindly help.

            • 3. Re: Report of Source-Geo for Rule
              sliedl

              The output is from the audit.raw file, which is from the current day.

               

              Take off the 'egrep "src_geo|srcip"' part of the command and you'll see the whole audit message with date and time.

              • 4. Re: Report of Source-Geo for Rule
                Arshad

                Thanks Sliedl for your support. Infact I am trying to use this command but at the same time it will give outpout of current day but I want previous months and years file . For previous months , i am using -k operator but I think i am not using the correct command

                 

                acat -k -e "rule_name 'Web Proxy Internet Banking-IN' and srcburb external" | egrep file "audit.raw.20120322020000PKT.20120322103000PKT.gz" | less

                 

                Kindly guide me so that I may extract previous months file

                 

                Thanks,

                • 5. Re: Report of Source-Geo for Rule
                  sliedl

                  The firewall keeps 20 revolutions of the audit file.  The audit file rolls by default at 250MB or every morning at 2 a.m.  Therefore the largest amount of time on which you would run this command would be 20 days.  If the files grow to 250MB in less than 24 hours you would have even less time to look back on.

                   

                  Run the acat command with this as the filename: /var/log/audit.raw*

                  $> acat -e "rule_name 'Web Proxy Internet Banking-IN' and srcburb external" /var/log/audit.raw* | less

                   

                  The command you are running:

                  $> acat -k -e "rule_name 'Web Proxy Internet Banking-IN' and srcburb external"

                  is only going to do a 'live' audit, because you used -k.  Don't use -k to look through past audit files.

                   

                  This command:

                  $> acat /var/log/audit.raw* | less

                  will show you ALL of the audit events that exist on the firewall in all the audit files.  Use the -e flag with a filter with /var/log/audit.raw* as the filename to use a filter on all the audit events that exist on the firewall.