StoneBlog.stonesoft.com

It is common for distributed organizations to have multiple engines in different locations as main gateways for protecting the perimeter of the local network.

Sometimes the firewall sees information that are unrelated specifically to network security; still, these information could be very useful to be centrally collected.

This post shows how it is possible to use StoneGate Central Log Processing to collect this information centrally.

Let’s set a need to be taken as a sample: collect information about network clients at remote location using their MAC address.

The base assumption is that the firewall has the information we’re looking for since it maintains an ARP table, whose content can be queried using CLI command ip n on StoneGate engine.
Sample output from this command would be:
192.168.1.1 dev eth1 lladdr 00:0c:ee:93:11:e5 STALE
192.168.34.80 dev eth0 lladdr 00:21:70:18:9f:cf REACHABLE
192.168.34.100 dev eth0 lladdr 00:0c:ee:b8:1f:56 REACHABLE
192.168.34.210 dev eth0 lladdr 00:0c:ee:b8:1f:56 REACHABLE
1192.168.1.40 dev eth1 lladdr 00:50:56:a9:66:25 REACHABLE

By using some shell scripting,
ip n | awk ‘{print $1 " – " $5 ";"}’

we could easily retrieve a better formatted information, like:
192.168.1.1 – 00:0c:ee:93:11:e5;
192.168.34.80 – 00:21:70:18:9f:cf;
192.168.34.100 – 00:0c:ee:b8:1f:56;
192.168..34.210 – 00:0c:ee:b8:1f:56;
10.1.1.140 – 00:50:56:a9:66:25;

Done this, we could use command sg-logger on StoneGate engine to forward the information to Log Server using the same channel used for standard logs.
The syntax is:
sg-logger – Sends log message

Usage:
  sg-logger -f facility_number -t type_number [-e event_number] [-i "info_string"] [-s] [-h]

Options:
  -f Set facility
  -t Set type
  -e Set event (Default: 0 (H2A_LOG_EVENT_UNDEFINED))
  -i Set info string for log message (Default: "")
  -s Dump information on option numbers to stdout
  -h Show this help message

Let’s now bundle everything in a script that considers only information on eth0:
#!/bin/bash
#Script to send arp table to StoneGate log server
IP_ARP="`ip n | grep eth0 | awk ‘{print $1 " – " $5 ";"}’`"
N=0
STRING_A=""
for i in  $IP_ARP; do
STRING_A="$STRING_A $i"
if [ $N -ge 50 ]; then
echo "IN"
sg-logger -f 8 -t 6 -i "ARP from $HOSTNAME: $STRING_A"
N=0
STRING_A=""
else
let N=$N+1;
fi
done
sg-logger -f 8 -t 6 -i "$ARP from $HOSTNAME: $STRING_A"
exit 0

Launching this script (remember to set execute permissions) will generate an entry in Log Browser with the information needed in info field.

Should you need to run this regularly, you can set it as a script in Tester tab in StoneGate Engine’s properties.

Enjoy!

written by RoarinPenguin - 2,877 views \\ tags: information retrieval, log, script