Finding out how many times an IP Rule triggered (10.x)

Security Gateway Articles and How to's
Locked
Roger
Posts: 6
Joined: 16 May 2008, 10:57

Finding out how many times an IP Rule triggered (10.x)

Post by Roger » 21 Apr 2011, 08:15

This How-to applies to:
  • Clavister Security Gateway 9.x, 10.x
Objective:
  • A script that uses the stored logs and also the SSH console towards the SGW to determine how many times each rule has triggered
Description
  • This is a script that first connects to the SGW and downloads the rules part of the configuration, while at the same time queries the SGW about how many times each of those rules has triggered since the last reconfiguration. It also runs a query towards the InControl logger database (ILA).
Files:
  • It consists of a script file in perl named rulesfinder.pl and a configuration file named rulesfinder.cfg. Also included is a fwlogqry.exe, which is a tool from Clavister that could make log queries towards both an ILA and the old formatted Clavister Logger. Note that this script should run on the same machine as the logger/ILA.
Rulesfinder.zip
(132.64 KiB) Downloaded 337 times
  • Configuration in the .cfg file:
  • rootdir: <here you write the root directory where the config/ila.xml or fwlogger.cfg are placed.>
  • fw: <InControl device ID (run "show device" in console to gather)> <username> <password> <IP address>
  • days: <the number of days the query towards the log database. Note that default number of days log are kept is 40 days and it is configured by InControl.>
Files that must be downloaded from other locations:
  • It is written in perl, which means that you need to have perl installed. There are quite a few downloadable and ActivePerl has been verified to work with this script file.
  • You should also download "plink.exe", which you find on the same download page as putty.

Locked