1550 - Syslog Server - Where's the "Action"?

Max_Baumgarten — Thu, 30 Jan 2020 17:01:10 GMT

Hey All,

I'm currently using a checkpoint 1550 configured to send System and Security logs to a simple Ubuntu server running rsyslog.

Going through the logs on the Ubuntu server, it seems like the 1550 is not sending any "Action" information for any of the logs, whether its Drop or Accept.

Simple Ping that should be Dropped:

Jan 30 11:16:14 Jan 30 11:16:11--5:00 10.x.x.x inzone="External" outzone="Local" service_id="ICMP" ICMP="Echo Request" src="207.xxx.xxx.xxx" dst="128.xxx.xxx.xxx" proto="1" ICMP Type="8" ICMP Code="0" user="" src_user_name="" src_machine_name="" src_user_dn="" snid="" dst_user_name="" dst_machine_name="" dst_user_dn="" UP_match_table="TABLE_START" ROW_START="0" match_id="5" layer_uuid="9fced3b3-5da9-494d-b7f1-3242694d99f8" layer_name="internal" rule_uid="00000780-0000-0000-0000-000000000000" rule_name="Incoming/Internal Default Policy" ROW_END="0" UP_match_table="TABLE_END" ProductName="VPN-1 & FireWall-1" ProductFamily=""

Simple Ping that should be Accepted:

Jan 30 11:24:34 Jan 30 11:24:33--5:00 10.x.x.x inzone="Internal" outzone="Local" service_id="ICMP" ICMP="Echo Request" src="10.x.x.x" dst="10.x.x.x" proto="1" ICMP Type="8" ICMP Code="0" user="" src_user_name="" src_machine_name="" src_user_dn="" snid="" dst_user_name="" dst_machine_name="" dst_user_dn="" UP_match_table="TABLE_START" ROW_START="0" match_id="5" layer_uuid="9fced3b3-5da9-494d-b7f1-3242694d99f8" layer_name="internal" rule_uid="00000780-0000-0000-0000-000000000000" rule_name="Incoming/Internal Default Policy" ROW_END="0" UP_match_table="TABLE_END" ProductName="VPN-1 & FireWall-1" ProductFamily=""

Am I missing something here? Shouldn't there be a field for "Action="? Perhaps my syslog server has a formatting issue? Others have told me they can't find the Action field either when looking at syslog files for their 1550.

I plan on using these logs in an Elastic Stack, but without having Action in the logs, it makes the data extremely difficult (and possibly pointless) to use.

Re: 1550 - Syslog Server - Where's the "Action"?

Max_Baumgarten — Fri, 31 Jan 2020 00:16:28 GMT

Also this is a locally managed firewall.

Re: 1550 - Syslog Server - Where's the "Action"?

PhoneBoy — Sat, 01 Feb 2020 00:19:03 GMT

Might be worth a TAC case to investigate if this is expected behavior or not.

Re: 1550 - Syslog Server - Where's the "Action"?

G_W_Albrecht — Tue, 04 Feb 2020 12:28:19 GMT

Is the Action shown if you look at the log entry in WebGUI logs ?

Re: 1550 - Syslog Server - Where's the "Action"?

Max_Baumgarten — Tue, 04 Feb 2020 13:07:56 GMT

The action is shown perfectly fine in the GUI.

topic Re: 1550 - Syslog Server - Where's the "Action"? in Spark Firewall (SMB)

1550 - Syslog Server - Where's the "Action"?

Re: 1550 - Syslog Server - Where's the "Action"?

Re: 1550 - Syslog Server - Where's the "Action"?

Re: 1550 - Syslog Server - Where's the "Action"?

Re: 1550 - Syslog Server - Where's the "Action"?