topic Re: SMB syslog doesn't log action in Spark Firewall (SMB)

SMB syslog doesn't log action

John_Fleming — Tue, 04 Feb 2020 15:36:35 GMT

So I'm rather shocked by this but I've just learned syslog from a SMB (and possibly none SMB as well) will not log the action field to syslog. I was pointed to sk164514 which I can't seem to access. Not sure if this is internal or not.

I don't even know what to say about this. I have a firewall that isn't logging via syslog if anything is accepted or denied. Its just saying.. stuff happened... I'm going to take a stab at a log exporter but I have no idea if thats possible without a management server. This is @%^$@#% ridiculous.

I sure am glad all these items below are getting logged instead of action. I don't know what I would do without knowing where the start or end of the table is (or what that even means). Good to know that the snid is unknown.

Awesome.

user="" 
src_user_name="" 
src_machine_name="" 
src_user_dn=""
snid="" 
dst_user_name="" 
dst_machine_name="" 
dst_user_dn="" 
UP_match_table="TABLE_START" 
ROW_START="0" 
match_id="5" 
layer_uuid="9fced3b3-5da9-494d-b7f1-3242694d99f8" 
layer_name="internal" 
rule_uid="00000780-0000-0000-0000-000000000000" 
rule_name="Incoming/Internal Default Policy"
ROW_END="0"
UP_match_table="TABLE_END"

Re: SMB syslog doesn't log action

Max_Baumgarten — Tue, 04 Feb 2020 15:43:10 GMT

Wow. Glad to see its not just me (my post) . Seems almost inexcusable to have syslogs for a firewall and not have it report the Action. These logs are completely useless for customers who want to use these logs for any analysis.

Re: SMB syslog doesn't log action

G_W_Albrecht — Tue, 04 Feb 2020 16:16:41 GMT

Which firewalls you know of do send their security logs including Accept / Deny / Reject actions using syslog ?

Re: SMB syslog doesn't log action

Max_Baumgarten — Tue, 04 Feb 2020 16:26:04 GMT

Of other vendors: Fortinet, PfSense, Ubiquti Edgerouters... Pretty sure Cisco ASAs and Palo Altos do this as well.

Re: SMB syslog doesn't log action

HristoGrigorov — Tue, 04 Feb 2020 16:41:51 GMT

Come on, take it easy. This is apparently some negligence from our lovely vendor. Open SR and they will fix it right away!

Re: SMB syslog doesn't log action

Max_Baumgarten — Tue, 04 Feb 2020 17:44:49 GMT

🤣🤣🤣🤣🤣🤣🤣

Re: SMB syslog doesn't log action

John_Fleming — Tue, 04 Feb 2020 18:16:56 GMT

Yeah, I did open a ticket. The reply was R&D will not be fixing this, its a known issue and i'll need to submit a RFE.

Also I can't use log exporter because there is no mgmt server involved (this is local mgmt).

Re: SMB syslog doesn't log action

John_Fleming — Tue, 04 Feb 2020 18:28:24 GMT

yeah that's a bit strange (to say which do log action). It would make more sense to say of the ones that do send syslog which "don't" indicate what the action was. I mean I can't see why the action would be more or less valuable then the source / destination if the concern was somehow information leakage. As it stands I see no way to get logs off a local manged SMB that are of any use.

Its like I need to pay a management server tax to have external logs. I mean the webui is basically useless for any in depth research since the query language only supports a single element. (src, dst, product etc).

Re: SMB syslog doesn't log action

HristoGrigorov — Tue, 04 Feb 2020 18:33:16 GMT

I do not remember quite well but I think in R77.20 GE there is action field in syslog records.

Re: SMB syslog doesn't log action

John_Fleming — Tue, 04 Feb 2020 22:23:05 GMT

You are %100 correct. Just tested R77.30 open server.

Syslog logs accept and drop messages.

R80.20 open server. Not it doesn't, yes we know, we're not fixing it, go get RFEed.

Re: SMB syslog doesn't log action

Max_Baumgarten — Tue, 04 Feb 2020 22:46:32 GMT

Obviously, you don't need that syslog information to protect against GEN 6 attacks....

Re: SMB syslog doesn't log action

HristoGrigorov — Wed, 05 Feb 2020 04:22:37 GMT

There must be a technical explanation as to why it was dropped. May be because of the layered policy... I hope R&D is monitoring this thread and will provide some details about this.

Re: SMB syslog doesn't log action

Pedro_Espindola — Wed, 05 Feb 2020 17:49:06 GMT

My 14XX with R77.20.87 are working fine.

Are you using 15XX appliances? Must be an issue with the new R80.20 generation.

Re: SMB syslog doesn't log action

Max_Baumgarten — Wed, 05 Feb 2020 17:53:47 GMT

We've confirmed it does not work in r80.xx, but used to work in r77. For some unknown reason, this was removed and apparently there are no plans to ever add it back.

Re: SMB syslog doesn't log action

John_Fleming — Wed, 05 Feb 2020 17:55:49 GMT

Correct, it think the core issue is R80.20. I would down grade to R77.20 if that was an option at this point. I'm reaching out to some folks deeper in the org. If this can't be fixed I'm replacing these SMB devices with a different vendor.

Re: SMB syslog doesn't log action

HristoGrigorov — Wed, 05 Feb 2020 19:10:36 GMT

Go for PaloAlto Networks. These guys have some impressive syslogging:

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields

Re: SMB syslog doesn't log action

John_Fleming — Wed, 05 Feb 2020 19:55:39 GMT

yes they do. That is a lot of data though. I wonder if they're using tcp syslog to avoid fragmenting the messages.

Re: SMB syslog doesn't log action

Barel_Tkach — Wed, 05 Feb 2020 23:23:49 GMT

Thank for raising this issue.

From a quick internal investigation it seems this limitation was inherited from R80.20 enterprise version syslog feature.

We are learning it in order to provide a solution.

Re: SMB syslog doesn't log action

John_Fleming — Wed, 05 Feb 2020 23:34:22 GMT

That is awesome and thank you so much for the update. Should my SR be re-opened?

Re: SMB syslog doesn't log action

Barel_Tkach — Thu, 06 Feb 2020 14:59:18 GMT

Yes.