https://community.checkpoint.com/t5/Firewall-and-Security-Management/Do-not-match-The-number-of-logs-in-the-GUI-and-the-SIEM-device/m-p/105996#M8426 <P>Can you provide some precise examples of logs that aren't showing on the SIEM?<BR />This might be better handled via a TAC case.</P> Mon, 21 Dec 2020 01:53:24 GMT PhoneBoy 2020-12-21T01:53:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Do-not-match-The-number-of-logs-in-the-GUI-and-the-SIEM-device/m-p/105994#M8425 <P>Hello&nbsp;</P><P>I am working to change the SIEM equipment linkage method of a customer from OPSEC to Log Exporter.</P><P>When I compare the logs of Smartconsole and the logs of SIEM, there are too many differences.</P><P>For example, The Smart console log generates about 5000 drop logs per second.&nbsp;</P><P>However, only about 300 drop logs are visible for Siem equipment logs.</P><P>There is a difference of more than 10 times and I do not know the cause.</P><P>&nbsp;</P><P>The linked server is Archisight 6.9 / smartconnector 7.15 and The architecture of the customer is as follows.</P><P>1.Management Server (R80.20, Take 127)<BR />2.Log Server (R80.20, Take 127)<BR />3.VRRP Gateway (R80.10, Take 249) - Firewall, IPS</P><P>&nbsp;</P><P>Below is the log export information set to the customer.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="export_show.png" style="width: 290px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/9838iFF6D16988A7C87E3/image-size/large?v=v2&amp;px=999" role="button" title="export_show.png" alt="export_show.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="filter_configuration.PNG" style="width: 594px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/9839iFEBF460FF6C77DBD/image-size/large?v=v2&amp;px=999" role="button" title="filter_configuration.PNG" alt="filter_configuration.PNG" /></span></P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P>Due to the large amount of logs, it is really difficult to compare the number of packets.</P><P>What do I need to check to fix the above symptoms?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 21 Dec 2020 01:35:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Do-not-match-The-number-of-logs-in-the-GUI-and-the-SIEM-device/m-p/105994#M8425 ChoiYunSoo 2020-12-21T01:35:36Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Do-not-match-The-number-of-logs-in-the-GUI-and-the-SIEM-device/m-p/105996#M8426 <P>Can you provide some precise examples of logs that aren't showing on the SIEM?<BR />This might be better handled via a TAC case.</P> Mon, 21 Dec 2020 01:53:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Do-not-match-The-number-of-logs-in-the-GUI-and-the-SIEM-device/m-p/105996#M8426 PhoneBoy 2020-12-21T01:53:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Do-not-match-The-number-of-logs-in-the-GUI-and-the-SIEM-device/m-p/106023#M8430 <P><SPAN>We only compared the number of drop logs of Siem equipment and GUI Smartconsole. Due to the problem of time, it was difficult to check further, so I could not check the contents of inconsistent logs.</SPAN></P> Mon, 21 Dec 2020 09:36:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Do-not-match-The-number-of-logs-in-the-GUI-and-the-SIEM-device/m-p/106023#M8430 ChoiYunSoo 2020-12-21T09:36:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Do-not-match-The-number-of-logs-in-the-GUI-and-the-SIEM-device/m-p/106054#M8433 <P>You should get a similar number of logs but you’re also only sending Firewall + IPS logs to the SIEM so there may be drops by additional blades you’re not seeing.<BR />In any case, I recommend a TAC case to investigate.</P> Mon, 21 Dec 2020 16:20:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Do-not-match-The-number-of-logs-in-the-GUI-and-the-SIEM-device/m-p/106054#M8433 PhoneBoy 2020-12-21T16:20:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Do-not-match-The-number-of-logs-in-the-GUI-and-the-SIEM-device/m-p/106163#M8447 <P>Thanks for your reply</P><P>&nbsp;</P><P>The blades used by the firewall are Firewall and IPS.</P><P>It is logically difficult to understand what gets deleted by other blades.</P><P>I will submit the case to the TAC.</P><P>&nbsp;</P> Tue, 22 Dec 2020 10:08:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Do-not-match-The-number-of-logs-in-the-GUI-and-the-SIEM-device/m-p/106163#M8447 ChoiYunSoo 2020-12-22T10:08:51Z