https://community.checkpoint.com/t5/SASE-and-Remote-Access/Similar-logs-For-Identity-Awareness/m-p/199469#M4319 <P>Hi,</P><P>I have searched from qradar and got similar logs as below. The only different item is "sequencenum", is this desired situation?&nbsp;</P><P>Any advice would be appreciated.</P><P>Best</P><P>Jasmin</P><P>&nbsp;</P><LI-CODE lang="python">LEEF:2.0|Check Point|Identity Awareness|1.0|Log In|devTime=devtime usrName=xxx cat=Identity Awareness action=Log In ifdir=inbound logid=logid loguid={aaa} origin=ip originsicname=zzz sequencenum=6 version=5 auth_method=User Authentication (Active Directory) auth_status=Successful Login client_name=Active Directory Query client_version=R81.10 domain_name=domain_name endpoint_ip=ip_address identity_src=AD Query identity_type=user snid=sn_id src=src src_user_group=src_user_group src_user_name=xxx LEEF:2.0|Check Point|Identity Awareness|1.0|Log In|devTime=devtime usrName=xxx cat=Identity Awareness action=Log In ifdir=inbound logid=logid loguid={aaa} origin=ip originsicname=zzz sequencenum=7 version=5 auth_method=User Authentication (Active Directory) auth_status=Successful Login client_name=Active Directory Query client_version=R81.10 domain_name=domain_name endpoint_ip=ip_address identity_src=AD Query identity_type=user snid=sn_id src=src src_user_group=src_user_group src_user_name=xxx</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 01 Dec 2023 14:40:15 GMT JasminThejojo 2023-12-01T14:40:15Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Similar-logs-For-Identity-Awareness/m-p/199469#M4319 <P>Hi,</P><P>I have searched from qradar and got similar logs as below. The only different item is "sequencenum", is this desired situation?&nbsp;</P><P>Any advice would be appreciated.</P><P>Best</P><P>Jasmin</P><P>&nbsp;</P><LI-CODE lang="python">LEEF:2.0|Check Point|Identity Awareness|1.0|Log In|devTime=devtime usrName=xxx cat=Identity Awareness action=Log In ifdir=inbound logid=logid loguid={aaa} origin=ip originsicname=zzz sequencenum=6 version=5 auth_method=User Authentication (Active Directory) auth_status=Successful Login client_name=Active Directory Query client_version=R81.10 domain_name=domain_name endpoint_ip=ip_address identity_src=AD Query identity_type=user snid=sn_id src=src src_user_group=src_user_group src_user_name=xxx LEEF:2.0|Check Point|Identity Awareness|1.0|Log In|devTime=devtime usrName=xxx cat=Identity Awareness action=Log In ifdir=inbound logid=logid loguid={aaa} origin=ip originsicname=zzz sequencenum=7 version=5 auth_method=User Authentication (Active Directory) auth_status=Successful Login client_name=Active Directory Query client_version=R81.10 domain_name=domain_name endpoint_ip=ip_address identity_src=AD Query identity_type=user snid=sn_id src=src src_user_group=src_user_group src_user_name=xxx</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 01 Dec 2023 14:40:15 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Similar-logs-For-Identity-Awareness/m-p/199469#M4319 JasminThejojo 2023-12-01T14:40:15Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Similar-logs-For-Identity-Awareness/m-p/199485#M4320 <P>Is the issue you’re seeing multiple logs for what appears to be the same event?<BR />How far apart are the logs and how many “duplicates” appear?</P> <P>We do send multiple logs via Log Exporter for the same session (every 10 minutes or so).<BR />This is probably expected behavior.</P> Fri, 01 Dec 2023 15:05:07 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Similar-logs-For-Identity-Awareness/m-p/199485#M4320 PhoneBoy 2023-12-01T15:05:07Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Similar-logs-For-Identity-Awareness/m-p/199493#M4321 <P>Hi,</P><P>Thanks for your answer. There are two events for login and logout with the same devtime. (not every 10 minutes)</P><P>Best</P><P>Jasmin</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 01 Dec 2023 15:39:12 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Similar-logs-For-Identity-Awareness/m-p/199493#M4321 JasminThejojo 2023-12-01T15:39:12Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Similar-logs-For-Identity-Awareness/m-p/199494#M4322 <P>Two logs for the same event that close to each other doesn't seem correct.<BR />Best to check this with TAC: <A href="https://help.checkpoint.com" target="_blank">https://help.checkpoint.com</A>&nbsp;</P> Fri, 01 Dec 2023 15:42:11 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Similar-logs-For-Identity-Awareness/m-p/199494#M4322 PhoneBoy 2023-12-01T15:42:11Z