NOVAXE® configurator interacts with the user works via network through the HTTP protocol. The software includes a mini Web Server that is automatically installed and listens to incoming connections (by default) on port 8081.

It's main purpose is to grant the user access the reporter resources both locally and remotely.

The NOVAXE® Reporting Engine is the bulk log analyzer run either by the configurator or by the operating system task scheduler when a report generation is required. Basically it parses your firewall log files, collects data and presents it in a PDF format.

The engine is a command line program run through batch files, which are properly created by the NOVAXE® configurator along with configuration files which reflects the type of report required.

The NOVAXE® installation tree contains two subfolders of interest: reports and schedules.

There exist situations where the reporter is neither able to complete the operation nor to report an error. Typically this happens when it badly runs out of memory and even the recovery procedure fails. In such situations the web server is unable to remove the report, because it thinks it's still working. You have to manually remove the report from the report archive then. See the section called “Suggestions” for further details.

NOVAXE® at present does not have the capability to collect log files directly from the firewall, therefore an external third party syslog server which receives data from the devices and stores it as ASCII files on the local filesystem is required.

On some firewalls, like Checkpoint Firewall-1 it may be necessary to use supplied utilities to extract log files in an ASCII readable file format and deposit them into NOVAXE® processing folder.

The configurator allows you to specify where this folder should be located (by default it's in the syslogs subfolder of the NOVAXE® root installation). It is also possible to specify a pattern matching string which allows you to filter out unnecessary files. For example you can set a simple expression such: firewall*.log to tell the reporter to read and parse only the files beginning with firewall and having .log extension. Other more complex pattern such as regular expression may be employed as well.

On the other hand, we suggest you to configure your syslog server to write logfiles with a fixed pattern in the names and to rotate them periodically (typically every day) to avoid huge files on disk. For example you can configure the syslog to have a file generated each day with names like this:

Notice that having different files for each day eases management and disposal. For example you may eventually delete old log files (or store them in a different place). It is easy to do so if you have a different log file for each day because you only need to move away certain files. If on the other hand you have everything in one huge file, you have to manually split the file, which for large files may be cumbersome at best.

Currently NOVAXE® parses Juniper and Checkpoint firewalls log files and expects some data fields in each event line of interest. Lines that do not meet its requirements are just skipped. A typical log entry could be as such (tab omitted and CR added):

Example of expected juniper log file: 2008-04-17 09:20:33 Local0.Notice 10.1.7.150 ssg-01: NetScreen device_id=ssg-01 [Root]system-notification-00257(traffic): start_time="2008-04-17 09:21:16" duration=21 policy_id=2 service=https proto=6 src zone=Trust dst zone=Untrust action=Permit sent=66 rcvd=0 src=10.1.4.40 dst=212.210.60.135 src_port=3470 dst_port=443 src-xlated ip=195.103.76.61 port=1311 dst-xlated ip=212.210.60.135 port=443 session_id=8006 reason=Close - AGE OUT<000>

Example of expected juniper log file: "16" "1Jul2008" "11:57:07" "eth0" "10.10.1.6" "Log" "Accept" "lotus" "1252" "10.30.0.24" "10.10.20.2" "tcp" "64" "" "68-Standard" "" "service_id: lotus" "VPN-1 Power/UTM"

Please, pay attention to the format of dates (see example above) beacuse it is likely that you can configure your syslog server to output them in serveral formats.