Home to AltSec.Info

Check Point Firewall Log Analysis Using fw1-loggrabber and MySQL

The purpose of this project is to provide a versatile and affordable firewall log analysis platform for the network security analyst.


Because intelligent analysis of firewall logs is an integral piece of network security monitoring.  Firewall log analysis can point to serious network or system configuration problems, help profile suspicious host behavior, and provide essential forensic data.

The core of the platform is the combination of the Check Point OPSEC LEA (Log Export API) and the open source software packages fw1-loggrabber and MySQL.  Those components are then integrated on the standard Debian Linux 64-bit distribution with modest  hardware requirements.

I hope there is enough interest with and participation in this project to warrant more materials.

Please feel free to contribute queries, scripts, suggestions, or questions.

Getting Started

1.  Read this paper:  Check Point Firewall Log Analysis In-Depth

2.  Then, if you want to build a simliar system and get started, read this paper: Check Point Firewall  Loggrabber Setup Detailed


Binaries of fw1-loggrabber and patch files (both the 'stock' and modified versions mentioned)

32-bit libraries to use on a 64-bit Debian Linux server (Updated 2010-04-30)

A log rotation script to run nightly

10-minute firewall log snapshot script

The spambot watchdog script

The DNS DoS watchdog script


Naturally I want to thank Splunk, Check Point, Debian Linux, Torsten Fellhauer (creator of fw1-loggrabber), Sun and MySQL,  and all the open source software developers for their invaluable contributions to the technology used.  I owe my lovely wife Janis an infinite amount of thanks for her support and patience with my long hours at the keyboard.  Deep gratitude belongs to Stephen Northcut for being my original inspiration in the field of network anomaly detection (the original Shadow project at the Naval Warfare Center).  Much thanks is due my former shipmates at NYU Medical Center's Unix Engineering team of circa 2001-2003; Richard Basch and Henry Escobar, who first got me involved in Check Point firewall log analysis.  They did it the hard way - custom Perl programming.  Last, but certainly not least, thanks to my co-worker Amar Yousif for his support and assistance with verifying setup of the server used in the above documentation and to my boss Thomas Madden for his belief in my abilities and support for the project..