$> acat -w1 -e "rule_name 'Your rule' and srcburb external" | egrep "src_geo|srcip" | less
That will give you all audits from rule_name 'Your rule' originating from the external burb, which then pulls out only the lines with src_geo and srcip in them and displays them to your screen.
Thanks for your answer. I want to ask if this output is of today ? How can I confirm that this output is of how much duration? May I get the same output with date and Month ?
Because my requirement is that I want to trace the hits on this external to internal rule with date and month.Kindly help.
The output is from the audit.raw file, which is from the current day.
Take off the 'egrep "src_geo|srcip"' part of the command and you'll see the whole audit message with date and time.
Thanks Sliedl for your support. Infact I am trying to use this command but at the same time it will give outpout of current day but I want previous months and years file . For previous months , i am using -k operator but I think i am not using the correct command
acat -k -e "rule_name 'Web Proxy Internet Banking-IN' and srcburb external" | egrep file "audit.raw.20120322020000PKT.20120322103000PKT.gz" | less
Kindly guide me so that I may extract previous months file
The firewall keeps 20 revolutions of the audit file. The audit file rolls by default at 250MB or every morning at 2 a.m. Therefore the largest amount of time on which you would run this command would be 20 days. If the files grow to 250MB in less than 24 hours you would have even less time to look back on.
Run the acat command with this as the filename: /var/log/audit.raw*
$> acat -e "rule_name 'Web Proxy Internet Banking-IN' and srcburb external" /var/log/audit.raw* | less
The command you are running:
$> acat -k -e "rule_name 'Web Proxy Internet Banking-IN' and srcburb external"
is only going to do a 'live' audit, because you used -k. Don't use -k to look through past audit files.
$> acat /var/log/audit.raw* | less
will show you ALL of the audit events that exist on the firewall in all the audit files. Use the -e flag with a filter with /var/log/audit.raw* as the filename to use a filter on all the audit events that exist on the firewall.