FireGen for Netscreen Log Analyzer FAQ

Q	How do I configure FireGen to analyze my logs?
A	1. Open the configuration interface 2. Switch to the "Log Profiles" tab 3. In the "Create Log Host Profile" section create a new profile: - Enter a name for the profile (i.e. Netscreen1) - Select a sample log by browsing to one of the existing firewall logs. FireGen will use this sample log to identify the format of the log, the logs location and their naming convention. If the logs are not on the same computer as FireGen, create a share on the log server so the FireGen computer can access it. If the logs are on a Linux server, you can use Samba to share the location of the logs - Select the "Date format used by the log name" - FireGen cannot determine if in a log name like log-2004-03-04.log "03" is the month or the day. - Select the "Date format used for the log entries" - as above, FireGen cannot determine in an entry like "2004-03-04,192.168.7.3,1,3,%PIX-6-342343,Firewall message" if the "03" refers to the month or to the day. 4. Click "Create" - A new profile will be created that can be modified any time by using the "Modify Log Host profile" section Now you can switch back to the "On Demand" tab, select the new profile from the "Log host" drop down list, the time interval you want to analyze and then click on "Analyze" to run the analysis. By default, when they are created, the log host profiles are also configured to be included in the "scheduled analysis". To disable the analysis of this profile during the scheduled reports, in the "Modify Log Host" section, uncheck the "Schedule" checkbox and save the changes. Please note also that during the scheduled analysis, the account configured for the FireGen service needs to have the right to access the logs' location. If the logs are on a remote server, the default "system account" does not have the right to access them. See also the supported log formats.

Q:	How do I get the logs from the Netscreen firewall?
A:	A Netscreen firewall offers several ways of retrieving the logs. We recommend using a syslog server to centralize all the events in one location. There are several syslog servers available for both Windows and Unix/Linux servers. For Windows you can use Kiwi syslog (freeware) or WinSyslog. If you have any problems configuring the syslog server, please contact us. Once you have a syslog server installed, configure the Netscreen firewall to send all the events to the syslog server. For firmware version 5.x follow these steps: 1. Connect to the management IP address of the firewall and login 2. Expand the Configuration section 3. Expand the Report settings section 4. Click on "Log settings" 5. Click on "Syslog" 6. Check the "Enable syslog messages" 7. Add the IP address of the syslog server on the syslog servers list and check both the Event and Traffic log 8. Click Apply 9. Return to the "Log settings" section 10. Make sure that all the Severity Levels that you are interested in are checked and click Apply. 11. Verify the logs of the syslog server to see if there are messages from the Netscreen firewall (once there is something to report, the firewall should send a message to the syslog server) 12. Create a FireGen log profile pointing to the last syslog log and perform the analysis If you do not want to install a syslog server and want to see older messages recorded by the firewall, save the event and traffic logs following these steps (for firmware 5.x): 1. Connect to the management IP address of the firewall and login 2. Expand the "Reports section" 3. Expand the "System log" section" 4. Click on "Event" 5. Click "Save" and save the log (default name evt_log but you can give it a name like evt-2004-06-30.log) in order to have a time stamp on it. 6. In a similar way, save all the logs listed under "System log" 7. Create a FireGen profile and point to the log that you want to analyze To analyze the Traffic logs: 1. Connect to the management IP address of the firewall and login 2. Click on "Policies" 3. Click on the "Options" for the desired policy 4. Save the log 5. Create a FireGen profile and point to the log that you want to analyze

Q:	When I run a report on demand, everything works fine but when I schedule a report with the same settings, the reports arrive blank.
A:	When running reports on demand, the file permissions used by FireGen are the ones that the current user has. For the scheduled reports, the permissions of the account set for the FireGen service are used. If for example, the FireGen service is configured to use the "system" account (the default setting), this account will not be able to access reports on remote computers as the "system" account only has local rights. Verify that the account used by the service has at least read rights to the location of the logs and read/write rights to the location configured for reports and for working directory.

Q:	All the reports I generate are blank while the logs seem to contain relevant information for the selected period of time. I also get an error saying: "Analyze has returned code: 1 (invalid). Error: ".
A:	If all the settings appear ok (logs location, selected data range) please verify that the account used to generate the reports has rights to the location configured as "Working directory" (via the "General" tab). By default this location is set to "C:\temp" and we found that on some computers the C:\temp directory does not exist.

Q:	My log files are very large. What is the limit for FireGen?
A:	We had reports of successful analysis of logs as large as 1.5 GB but officially we do not support logs larger than 50 MB. FireGen should not crash, regardless of the size of the logs but the larger the log is, the longer will take to analyze them. The performance of the computer doing the analysis is important as well (CPU and I/O system). We designed FireGen to have minimal impact on the amount of memory used. The analysis is done at "idle priority" so FireGen will not take CPU cycles from other programs. One way to improve the analysis performance would be to select only a certain severity levels (i.e. only messages with severity level higher than "Warning"). Having reverse name resolution enabled can also affect significantly the analysis duration.

Q:	Can I schedule FireGen to run more than once per day?
A:	Using the configuration interface it is not currently possible to run such a schedule. However, the analysis engine is fully scriptable and it can be used to script the log analysis with custom schedules. See this link for more details.

Q:	When I run a report, all the previous reports get deleted. How can I configure FireGen not to delete the old reports?
A:	On the "General" of the configuration interface there is a checkbox "Delete previous reports" (checked by default). If you uncheck it, the old reports will not be deleted.