https://community.checkpoint.com/t5/Spark-Firewall-SMB/What-happened-to-loguid-UUid-in-syslog-of-new-Quantum-Spark/m-p/193527#M9545 <P>Thanks for sharing! good to know <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 26 Sep 2023 00:19:45 GMT Tom_Hinoue 2023-09-26T00:19:45Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/What-happened-to-loguid-UUid-in-syslog-of-new-Quantum-Spark/m-p/182990#M9000 <P>What happened to loguid/UUid in syslog of new Quantum Spark?</P> <P>In R77.20.87 for 700/1400 appliances there was the UUid field which could be used to correlate the delta logs.</P> <P>In the new versions there is no loguid or equivalent field. This means it is impossible to correlate a lot of information, such as the office mode IP of a user that connected to Remote Access VPN.</P> <P>This was a huge step backwards. The details of the logs have improved, but without this field to allow correlation the logs are useless.</P> Thu, 01 Jun 2023 21:05:59 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/What-happened-to-loguid-UUid-in-syslog-of-new-Quantum-Spark/m-p/182990#M9000 Pedro_Espindola 2023-06-01T21:05:59Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/What-happened-to-loguid-UUid-in-syslog-of-new-Quantum-Spark/m-p/182994#M9001 <P>What code version?<BR /><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/20406">@Amir_Ayalon</a>&nbsp;are you familiar with this issue?</P> Thu, 01 Jun 2023 22:12:35 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/What-happened-to-loguid-UUid-in-syslog-of-new-Quantum-Spark/m-p/182994#M9001 PhoneBoy 2023-06-01T22:12:35Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/What-happened-to-loguid-UUid-in-syslog-of-new-Quantum-Spark/m-p/182998#M9002 <P>R81.10.XX</P> <P>I still haven't tested the newest build from last month, but all the previous ones had this ussue.</P> Thu, 01 Jun 2023 22:18:52 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/What-happened-to-loguid-UUid-in-syslog-of-new-Quantum-Spark/m-p/182998#M9002 Pedro_Espindola 2023-06-01T22:18:52Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/What-happened-to-loguid-UUid-in-syslog-of-new-Quantum-Spark/m-p/186738#M9204 <P>R81.10.07 is also affected.</P> <P>Very frustrating, because log rate to SMP is limited to 10000/hour, which is very low, leaving huge gaps in logs.</P> <P>Also retention is less than a month.</P> <P>Plus I can't export from SMP to a SIEM.</P> <P>So exporting syslog was the best way to have a better log retention, which is is a MUST even for small organizations today due to new regulations.</P> Tue, 18 Jul 2023 18:13:17 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/What-happened-to-loguid-UUid-in-syslog-of-new-Quantum-Spark/m-p/186738#M9204 Pedro_Espindola 2023-07-18T18:13:17Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/What-happened-to-loguid-UUid-in-syslog-of-new-Quantum-Spark/m-p/193522#M9544 <P>I received a solution from TAC a few days ago.</P> <P>This solution does not survive upgrades and they still haven't confirmed if it will be made default in the next builds.</P> <P>Here is the procedure to enable this field:</P> <P><SPAN class="uiOutputText">Access vis SSH to<SPAN>&nbsp;</SPAN></SPAN><STRONG><SPAN class="uiOutputText">/opt/fw1/conf/log_fields.C</SPAN></STRONG></P> <P><SPAN class="uiOutputText">Search for</SPAN><STRONG><SPAN class="uiOutputText"><SPAN>&nbsp;</SPAN>:field_name (uuid)</SPAN></STRONG></P> <P><SPAN class="uiOutputText">Change:</SPAN></P> <P><SPAN class="uiOutputText">:application_display_mode<SPAN>&nbsp;</SPAN></SPAN><STRONG><SPAN class="uiOutputText">(none)</SPAN></STRONG></P> <P><SPAN class="uiOutputText">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:application_name (FWLog)</SPAN></P> <P><SPAN class="uiOutputText">To:</SPAN></P> <P><SPAN class="uiOutputText">:application_display_mode</SPAN><STRONG><SPAN class="uiOutputText"><SPAN>&nbsp;</SPAN>(own_column)</SPAN></STRONG></P> <P><SPAN class="uiOutputText">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:application_name (FWLog)</SPAN></P> <P><SPAN class="uiOutputText">Then run</SPAN><STRONG><SPAN class="uiOutputText"><SPAN>&nbsp;</SPAN>sfwd_restart</SPAN></STRONG></P> Mon, 25 Sep 2023 22:17:27 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/What-happened-to-loguid-UUid-in-syslog-of-new-Quantum-Spark/m-p/193522#M9544 Pedro_Espindola 2023-09-25T22:17:27Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/What-happened-to-loguid-UUid-in-syslog-of-new-Quantum-Spark/m-p/193527#M9545 <P>Thanks for sharing! good to know <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 26 Sep 2023 00:19:45 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/What-happened-to-loguid-UUid-in-syslog-of-new-Quantum-Spark/m-p/193527#M9545 Tom_Hinoue 2023-09-26T00:19:45Z