You can use the 'cf reports' command, albeit it's a bit tricky to get it all set up:
If you have turned on the reporting databases you can run a 'report' on the audit files. You can see if you have any databases to run reports on by running this command:
$> cf reports show_databases
If you get an error about 'Can't connect to local MySQL server...' then your reporting isn't on.
You can turn on the reporting database with these commands:
cf daemond enable agent=auditsql
cf daemond enable agent=auditdbd
(in that order)
Now look at 'cf reports show_d' and you'll see one database there named 'auditdb'.
Then you have to wait for the databases to be built. What this does is watch the audit stream and while audits come in, auditdbd and auditsql write the audit information to an SQL database. Then you can query it. You have to wait for the audit database to be built (i.e. it's real-time, so you'll have to wait a few days). Your older audits are not automatically added into the database.
When you do have an audit database built you can run this command to get a traffic report:
$> cf reports run_report report_name=traffic
There IS a way to build databases for each audit file that is already on your firewall. I'll explain it quickly:
$> ls /var/log/audit.raw*
- This gets a listing of the current audit.raw and the 'rolled' audit files
$> /usr/libexec/auditdbd -f /var/log/[audit_file] -d [database_name]
- This command opens the [audit_file] and puts it into the MySQL database with name [database_name]. You replace [audit_file] with audit.raw.[date-range].gz name (from the 'ls' command, or just audit.raw) and [database_name] with whatever you like. Then this [date-range] of audits will be available in 'cf reports show_databases' and you can run a report on it.
As as example:
$> /usr/libexec/auditdbd -f /var/log/audit.raw.20120101020000.20120102020000.gz -d db_1
The audit file covering Jan. 1, 2012 2:00 a.m. to Jan. 2, 2012 2:00 a.m. is then converted into a MySQL database named db_1 and then you can run a report on it. You do this for each rolled-audit file in /var/log, giving each a different name at the end of the command (e.g. db_2, db_3, etc.)
If you run 'cf reports show_d' now you'll see auditdb and db_1 as the two databases there and the timeframes they contain. You can then run a report on the audit events in that rolled-audit file by specifying 'db=db_1' at the end of the 'cf reports run_report' command.
Each rolled-audit covers a specific timeframe and the reports are run on that time frame - you cannot specify a timeframe such as "the last 5 minutes."
You can also add ALL the rolled-audits in /var/log into one database using one command:
$> ls /var/log/audit.raw.*.gz | xargs -I xxx /usr/libexec/auditdbd -d database_name -f xxx
However, this will add all the rolled-audit events into ONE database, so it will cover a large timeframe and may not be useful for reporting.
Read the 'man cf_reports' man page for more information on how to use the 'cf reports' command.
Thank you very much! This is almost a PhD disertation
I'll try it when I'll find some time, as well as setting up FW Reporter. But I still think a modern NG FW should have possibility for this kind of info either integrated into dashboard or at least as a basic function of out-of-box management/monitoring/reporting tool. All the competitors have similar functionalities and also McAfee has it dispersed in various tools or products (FW Reportter, FW Profiler, Web/Smart Reporter, Nitro SIEM). Any roadmap for such integration?