Copyright (C) 1999,2000  Rajeev Kumar (rxknh@yahoo.com)
Version: fwlogstat-1.0
=============================================================================

[1]Obtain fwlogstat latest version from :
           http://www.geocities.com/SiliconValley/Bit/9363/pub/fwlogstat

[2]cd to cgi-bin directory on your webserver.

[3]Untar and unzip the fwlogstat-1.0.tar.gz, that will create fwlogstat-1.0 directory.

[4]Edit fwlogstat-1.0/fwlogstat.pl file:
	-> Edit First line for exact perl location (/usr/local/bin/perl default)
	-> Go to USER MODIFIABLE SECTION:
            o Edit $cgi_bin_dir= 
	    o      $url= 
	    o      $this_cgi= 
	    o      %firewall = < Add IP => Firewall name> pair in the hash, for all
				firewalls logging to this master firewall from which
				you are obtaining raw account log data.
            o check other variables in the section, if you need to change for some
              reasons, else leave them as default.

-------------------------------------------------------------------------------------

Make ready for Run:
-------------------

[1]On chekpoint Master, where you collect all account logs from enterprise firewall and
   from from other firewall, export logfile into ascii format.

	cd /opt/CKPfw/logs
	fw logexport -n -i  -o 
(You better first run fw logswitch command, switch/purge the existing log file and 
 obtain account log file,and then run above command on that purged data).

[2]Now sort/process this log file from command line invocation.
	fwlogstat-1.0/fwlogstat.pl 

  NOTE: Step [1] and [2] can be run as cron jobs to automate processing raw logs
	on timely manner (say at each midnight).

[3]The above step will do following:
	-> Sort out logs in respective Firewall directories(created if new firewall encoutered
           in the logs. and finally make multiple files based on start and end time
	     in the format of log__starttime_endtime
	-> Create service and user cache file,Checkpoint defined services and users
	   in the present logs. (on subsequent invocation it will update these cache.
	-> Create DNS database cache for resolved names(in DBM format), This will
	   drastically reduce the raw log processing time and not wasting time for
	   already resolved(tried) IP address. The cache will expire in 30 days(default)
	   changable through variable $dns_ttl.
	-> Create Standard services dbm file ,from text file fwlogstat-1.0/std_services_txt

[4]Once above step is complete(may take hours to complete depending upon how much data
   you are processing at one time. You ready to analyze logs. On your web server run cgi
   script:

	http://www.yourwebserver.com/cgi-bin/fwlogstat-1.0/fwlogstat.pl?instance=real&action=main

[5]This must present you, the Firewall selection page , select Firewall and proceed.

===============================================================================================

Rajeev Kumar
Dec 1999