Sandblast for Office 365 Log Transport Agent

Kim_Moberg · ‎2018-02-02

Hi,

I have been reading the administration guide for Sandblast Cloud, and I want to push logs to our gateway mgmt log server on R80.10.

I am confused about why it is mention installation on linux or windows.

doesnt it run on gateway mgmt?

Text from the guide.

The Log Transport Agent (LTA) utility transfers logs from your SandBlast Cloud account to a designated Log Server inside your internal corporate network. By default, logs are stored in the SandBlast Cloud for 30 days before being marked for deletion. Logs are generated each time SandBlast Cloud checks an email.

The designated Log Server can be:

A Check Point Log Server
A Check Point Security Management Server that also functions as a Log Server

Best practice is to run the Log Transport Agent directly on your designated Log Server.

Anyone managed to have it installed to R80.10? I know of R77.30 one have to installed a plugin into mgmt to be able to connect to the office 365 instance to get centralized logs.

Thanks

Best Regards
Kim

Kim_Moberg · ‎2018-03-14

Together with out CP partner I have managed to configure a Log Transport Agent (LTA) on my Mgmt server. We had to configured OPSEC object and the establishmentet OPSEC SIC betweeen gateway mgmt server and the LTA.

It is now getting data pushed from Cloud.checkpoint.com BUT No logs importen into my gateway mgmt log.

There have been upgraded in sandblast for o365 LTA and now still awaits a fix for our r80.10 gateway management.

Does anyone know how to search sandblast o365 logs in smartlog/SmartEvent?

Thanks

Best Regards
Kim

Kim_Moberg · ‎2018-05-17

new update!!!

issue have been solved.

One need to ask for a HF to R80.10 specific running Take installed on the management server. Ask for HF to solve LEA and LTA issue. For R80.10 take 91, one need to have fw1_wrapper_hotfix_r80_10_JHF_T91_465_GA installed.

R&D promised it is part of the roadmap but not yet part of the Take 103.

As soon HF is installed and cental mangement server have been started, logs LTA are imported.

This is an example of a log from sandblast for O365.

I am running the LTA agent on the central management server, and then pushed the data into the solr database.

I was hoping the Origin was the cloud server "CLOUD-gr-lucy-mta365-9.checkpoint.com" but instead it is my server where the logs are entered to actually "gwmgmt".

Hope someone find this usefull..

Thanks

Best Regards
Kim

GG27 · ‎2018-08-06

I faced out the same problem and investigating the LOG for the LTA, I get messages like "ERROR: No data" or "ERROR: Empty data".

It worked for a couple of days when I started using to send logs from sandblast O365 to my log server.

The log server run R80.10 with jumbo take 112.

I looked for the HF you mentioned but I didn't find any information about this.

moreover the SK about the jumbo take doesn't describe any issued fixed from T91 to T112 for the LEA or LTA.

Kim_Moberg · ‎2018-08-06

Hi Giunluca

You will need to run a hotfix that solves this LTA issue.

I had to Create a tac case to have them create the hotfix for take 91.

I am not yet sure if it have been solved in take 112.

BR

Kim

Best Regards
Kim

GG27 · ‎2018-08-09

Hi Kim

I'm investigating the issue with the TAC and he asked to change the web_server pointer in settings files.

Now I don't have the problem related to fetch the logs, but my log server doesn't write the log gathered from cloud

new news will be posted further. 🙂

Are you a member of CheckMates?

Sandblast for Office 365 Log Transport Agent