https://community.checkpoint.com/t5/General-Topics/Missing-Logs-track-long-lived-TCP-IP-connection/m-p/197541#M33093 <P>Hi Experts,</P><P>Recently we use TCP connection to forward syslogs from client to server (both are Linux OS). It is interesting that we can see from client and server (by TCPdump command) that the TCP connection is established and syslog data packet were forwarded/received properly.</P><P>While on the SmartConsole -&gt; logs , we only see some intermittent logs, which should continuous ?<BR />I thought when the client are forwarding syslogs, the data packet should be continuous(&nbsp;<SPAN>long-lived TCP/IP connection ?) I checked on the client, the logs did generate&nbsp;continuously.</SPAN></P><P>&nbsp;</P><P>I find some info from&nbsp; <A href="https://support.checkpoint.com/results/sk/sk41248" target="_blank" rel="noopener">https://support.checkpoint.com/results/sk/sk41248</A>&nbsp; , but it seems not mentioned how to track logs during long-lived TCP sessions.</P><P>Is it possible that the logs only track the TCP packet which has SYN ?&nbsp;&nbsp;</P><P>&nbsp;</P><P>Thanks very much&nbsp;</P><P>Best regards</P><P>&nbsp;</P> Thu, 09 Nov 2023 06:24:05 GMT GeorgeF 2023-11-09T06:24:05Z https://community.checkpoint.com/t5/General-Topics/Missing-Logs-track-long-lived-TCP-IP-connection/m-p/197541#M33093 <P>Hi Experts,</P><P>Recently we use TCP connection to forward syslogs from client to server (both are Linux OS). It is interesting that we can see from client and server (by TCPdump command) that the TCP connection is established and syslog data packet were forwarded/received properly.</P><P>While on the SmartConsole -&gt; logs , we only see some intermittent logs, which should continuous ?<BR />I thought when the client are forwarding syslogs, the data packet should be continuous(&nbsp;<SPAN>long-lived TCP/IP connection ?) I checked on the client, the logs did generate&nbsp;continuously.</SPAN></P><P>&nbsp;</P><P>I find some info from&nbsp; <A href="https://support.checkpoint.com/results/sk/sk41248" target="_blank" rel="noopener">https://support.checkpoint.com/results/sk/sk41248</A>&nbsp; , but it seems not mentioned how to track logs during long-lived TCP sessions.</P><P>Is it possible that the logs only track the TCP packet which has SYN ?&nbsp;&nbsp;</P><P>&nbsp;</P><P>Thanks very much&nbsp;</P><P>Best regards</P><P>&nbsp;</P> Thu, 09 Nov 2023 06:24:05 GMT https://community.checkpoint.com/t5/General-Topics/Missing-Logs-track-long-lived-TCP-IP-connection/m-p/197541#M33093 GeorgeF 2023-11-09T06:24:05Z https://community.checkpoint.com/t5/General-Topics/Missing-Logs-track-long-lived-TCP-IP-connection/m-p/197634#M33109 <P>We generate a log upon first connection.<BR />A session may consist of multiple connections (e.g. different elements on a webpage hosted in different places) which will update the existing log entry.<BR />Likewise, if you have Accounting logging enabled or Detailed/Extended logging, the existing entry will update every 10 minutes.<BR />These updates will be sent via Log Exporter as well.</P> Thu, 09 Nov 2023 21:04:10 GMT https://community.checkpoint.com/t5/General-Topics/Missing-Logs-track-long-lived-TCP-IP-connection/m-p/197634#M33109 PhoneBoy 2023-11-09T21:04:10Z https://community.checkpoint.com/t5/General-Topics/Missing-Logs-track-long-lived-TCP-IP-connection/m-p/197642#M33110 <P>Hi,</P><P>Thanks very much for your reply.</P><P>As my understanding, it will generate a log when the TCP session is established. ( Yellow hightlighter)</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TCP session.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/23160iB9EE9048F41DCAD0/image-size/large?v=v2&amp;px=999" role="button" title="TCP session.png" alt="TCP session.png" /></span></P><P>And if the connection keeps open and keeps forwarding log packets then it won't generate more logs.</P><P>Until the server or client initiate "CLOSING THE CONNECTION" , or some Time-Out triggered closing the session.</P><P>Next time when a new SYN -&gt; SYN+ACK -&gt; ACK established a new connection with <EM><STRONG>a new source port</STRONG></EM> ,&nbsp; it will generate a new log.</P><P>Is it right ?&nbsp; I think that would explain the intermittent logs perfectly.</P><P>&nbsp;</P><P>Thanks again</P><P>&nbsp;</P><DIV class="">&nbsp;</DIV><P>&nbsp;</P> Fri, 10 Nov 2023 01:43:01 GMT https://community.checkpoint.com/t5/General-Topics/Missing-Logs-track-long-lived-TCP-IP-connection/m-p/197642#M33110 GeorgeF 2023-11-10T01:43:01Z https://community.checkpoint.com/t5/General-Topics/Missing-Logs-track-long-lived-TCP-IP-connection/m-p/197659#M33113 <P>You've got it right.</P> Fri, 10 Nov 2023 04:25:52 GMT https://community.checkpoint.com/t5/General-Topics/Missing-Logs-track-long-lived-TCP-IP-connection/m-p/197659#M33113 PhoneBoy 2023-11-10T04:25:52Z