How to pull Check Point Logs from a Check Point Device

ccheckpointclient

What I need to do is that,

I need to pull the Check Point Logs from a Check Point device.

I have read that, in order to accomplish this, we have following things,

The OPSEC LEA (Log Export API) provides the ability to pull logs from a Check Point device based on the OPSEC SDK. OPSEC LEA listens on port tcp/18184 on the device (OPSEC LEA Server) which will contain your logs. Your OPSEC LEA Client will then connect into 18184 and pull the logs.

So in order to run a LEA server, I installed a Check Point R75.20 on my VirtualBox. I dont know how to run the OPSEC LEA server on the Check Point R75.20 platform. I have read the documentation for R75.20 as well but could not get a hint on running the server.

Now after I run the lea-server, isn't it the OPSEC SDK that I will use to write an OPSEC LEA CLient?

Thanks.

Best Answer

Yes, you want the Opsec SDK found here.

You could also use the fw1-loggrabber which is probably a LOT easier.

Related Solutions

How to prevent SIGPIPEs (or handle them properly)

You generally want to ignore the SIGPIPE and handle the error directly in your code. This is because signal handlers in C have many restrictions on what they can do.

The most portable way to do this is to set the SIGPIPE handler to SIG_IGN. This will prevent any socket or pipe write from causing a SIGPIPE signal.

To ignore the SIGPIPE signal, use the following code:

signal(SIGPIPE, SIG_IGN);

If you're using the send() call, another option is to use the MSG_NOSIGNAL option, which will turn the SIGPIPE behavior off on a per call basis. Note that not all operating systems support the MSG_NOSIGNAL flag.

Lastly, you may also want to consider the SO_SIGNOPIPE socket flag that can be set with setsockopt() on some operating systems. This will prevent SIGPIPE from being caused by writes just to the sockets it is set on.

How to find the socket connection state in C

You could call getsockopt just like the following:

int error = 0;
socklen_t len = sizeof (error);
int retval = getsockopt (socket_fd, SOL_SOCKET, SO_ERROR, &error, &len);

To test if the socket is up:

if (retval != 0) {
    /* there was a problem getting the error code */
    fprintf(stderr, "error getting socket error code: %s\n", strerror(retval));
    return;
}

if (error != 0) {
    /* socket has a non zero error status */
    fprintf(stderr, "socket error: %s\n", strerror(error));
}

Best Answer

Related Solutions

How to prevent SIGPIPEs (or handle them properly)

How to find the socket connection state in C

Related Topic