topic Re: Sending syslog from SMB - application fields are blank in Spark Firewall (SMB)

Sending syslog from SMB - application fields are blank

Pedro_Espindola — Tue, 26 Jun 2018 17:40:54 GMT

Hey guys,

I am sending security logs from a 1490 via syslog to an external log server, but Application Control and URL Filtering fields show as "******":

appi_name="******" app_desc="******" app_id="******" app_category="******" matched_category="******" app_properties="******" app_risk="******" app_rule_id="******" app_rule_name="******"

Is this a limitation or is it because of some kind of privacy setting?

Re: Sending syslog from SMB - application fields are blank

Maarten_Sjouw — Tue, 26 Jun 2018 18:22:17 GMT

I know this is a setting in the OPSec connection, but I have not been able to find anything on the 1400 WEBUI to set anything in this area. I was also browsing through the CLI guide and there is some stuff about the user awareness, which brought the following question to mind; does you log show the user and URL information, or is that obfuscated as well?

On the other hand when this is an centrally managed gateway you could use the log exporter instead from management, this will give you much more control over what is sent to the syslog server.

Re: Sending syslog from SMB - application fields are blank

Pedro_Espindola — Tue, 26 Jun 2018 20:47:57 GMT

Actually, users are shown correctly. Only the fields related to the application are hidden. Check this log from my lab:

<85>2018-06-26T17:44:09.562830-03:00 Jun 26 17:44:07--3:00 192.168.252.1 Action="allow" UUid="{0x5b32a597,0x6,0x52c2737f,0xc0000002}" src="172.20.120.50" dst="216.58.222.78" proto="17" appi_name="******" app_desc="******" app_id="******" app_category="******" matched_category="******" app_properties="******" app_risk="******" app_rule_id="******" app_rule_name="******" app_sig_id="60340654:4" proxy_src_ip="172.20.120.50" user="Administrator(+)" src_user_name="Administrator(+)" snid="d671fcfa" product="Application Control" service="443" s_port="56644"

Re: Sending syslog from SMB - application fields are blank

Maarten_Sjouw — Tue, 26 Jun 2018 21:52:01 GMT

show application-control-engine-settings advanced-settings

could give you a clou but I could not find it, but this could still be something controlled from the dashboard as the box is managed. In the OPSec it is called Log Permissions.

Re: Sending syslog from SMB - application fields are blank

G_W_Albrecht — Mon, 02 Jul 2018 14:42:13 GMT

show application-control-engine-settings advanced-settings does not exist in my Firmware 😉

What i know this issue from is sk73400 SmartLog displays some fields with asterisks in logs from Application Control blade or from Identity Awareness blade.

Re: Sending syslog from SMB - application fields are blank

Maarten_Sjouw — Mon, 02 Jul 2018 21:29:25 GMT

from the 700-1400 appliances R77.20.75 Techincal Reference Guide:

set application-control-engine-settings
set application-control-engine-settings advanced-settings fail-mode <fail-mode>

set application-control-engine-settings
set application-control-engine-settings advanced-settings

set application-control-engine-settings
set application-control-engine-settings advanced-settings enforce-safe-search <enforce-safe-search>

set application-control-engine-settings
set application-control-engine-settings advanced-settings web-site-categorization-mode <web-site-categorization-mode>

set application-control-engine-settings
set application-control-engine-settings advanced-settings track-browse-time

set application-control-engine-settings
set application-control-engine-settings advanced-settings http-referrer-identification <http-referrer-identification>

set application-control-engine-settings
set application-control-engine-settings advanced-settings

show application-control-engine-settings
show application-control-engine-settings advanced-settings

9 result(s) found.

Re: Sending syslog from SMB - application fields are blank

G_W_Albrecht — Tue, 03 Jul 2018 06:52:51 GMT

It is found in Check Point 600/700/1100/1200R/1400 Appliance Guide R77.20.75 p.96 - but in clish, it is not a shown command, that was the reason for my remark 🙂

Re: Sending syslog from SMB - application fields are blank

Pedro_Espindola — Tue, 17 Jul 2018 17:30:09 GMT

The support team said this is a limitation, the same as described in sk112376 - Logs appear as confidential when configuring a Security Gateway R77.30 Gaia to send logs to an external Syslog server

I will submit a request for enhancement. If Maarten Sjouw and the others could do the same I would be grateful.

Thank you for the help, guys.

Re: Sending syslog from SMB - application fields are blank

Pedro_Espindola — Fri, 23 Nov 2018 22:09:53 GMT

It seems on version R77.20.81 the problem was solved with an option to show these fields:

Sometimes RFEs work!