fw log displays the content of log files. The full syntax of the fw log command is as follows:
fw log [-f [-t]] [-n] [-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime] [-b starttime endtime] [-u unification_scheme_file] [-m unification_mode(initial|semi|raw)] [-a] [-k (alert_name|all)] [-g] [logfile]
The optional switches for
fw log are as follows:
After reaching the end of the currently displayed file, do not exit (the default behavior), but continue to monitor the log file indefinitely, and display it while it is being written. The
-t parameter indicates that the display is to begin at the end of the file. The display will initially be empty, and only new records added later will be displayed.
-t is used with a
-f flag. These flags are relevant only for active files.
Do not perform DNS resolution of the IP addresses in the log file (the default behavior). This option significantly speeds up processing.
Display both the date and the time for each log record. (The default is to show the date only once above the relevant records, and then specify the time per log record.)
Show detailed log chains (all log segments a log record consists of).
Display only events whose action is action, i.e., accept, drop, reject, authorize, deauthorize, encrypt, and decrypt. Control actions are always displayed.
Display only the log whose origin is the specified IP address or name.
Display only events that were logged after the specified time. (See format below.) starttime may be a date, time, or both. If the date is omitted, todays date is assumed.
Display only events that were logged before the specified time. (See format below) endtime may be a date, a time, or both.
-b starttime endtime
Display only events that were logged between the specified start and end times (format below), each of which may be a date, time, or both. If date is omitted, todays date is assumed. The start and end times are expected after the flag.
Unification-scheme filename. (The unification-scheme specifies the precise manner, in which logs are processed, per selected unification mode.)
This flag specifies the unification mode.
initial - the default mode, specifying complete unification of log records; i.e., output one unified record for each ID (default). When used together with
-f, no updates, but only entries relating to the start of new connections will be displayed. To display updates, use the
semi - step-by-step unification; for each log record, output a record that unifies this record with all previously-encountered records with the same ID.
raw - outputs all records, with no unification.
Output account-log records only.
Display only events that match a specific alert type. The default is all, for any alert type.
Note: When the command is used with option fw log -k [ log ] it might not work. This is known issue . Please use other options such as -o
Do not use a delimited style. The default is:
* : after field name
* ; after field value
Use logfile instead of the default log file. The default log file is
DATE & TIME FORMAT:
The full date-and-time format is:
MMM DD, YYYY HH:MM:SS (for example: May 26, 1999 14:20:00)
It is possible to specify date only in the format
MMM DD, YYYY, or time only, in the format:
HH:MM:SS. In the format, where time only is specified, the current date is assumed.
fw log | more
fw log -c reject
fw log -s "May 26, 1999"
fw log -f -s 16:00:00
Refer to Command Line Interface Reference Guide (R65, R70, R71, R75, R75.20, R75.40, R75.40VS, R76, R77) - Chapter 3 "Security Management Server and Firewall Commands" - "fw" - "fw log".