Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
WarpTeam
Participant

how to see logs on smartevent only from a specific CMA of the MDSM

Hello,

We have made a deployment of a MDSM, log server and Smartevent. I´ve installed the smartevent in the global domain and a log server for each of the CMAs. Everything is working properly but when the administrators connect to the smartevent, they can see logs from all of the CMAs. This must be changed in a way that they can only see logs from their specific CMA.

Can anyone give me some insight on how to accomplish this?

Thank you .

Nuno

0 Kudos
5 Replies
Peter_Lyndley
Advisor
Advisor

Normally, the way I have seen it done before.... the administrators of SmartEvent, are global administrators and therefore its ok for them to set up SmartEvent with a view on all CMAs.

Then to view the data and create reports, you are doing this through a single CMA/SmartConsole so each person setting up reports is connecting to a single CMA (or more if they are superuser)

I dont see any need for an individual administrator for each CMA on SmartEvent unless you have a very specific scenario.

I dont believe it would be possible without an RFE (Request for Enhancement) via your local Check Point SE

0 Kudos
WarpTeam
Participant

I see your point but indeed the customer needs to see only the logs and events for the specific CMA he manages. For me this makes sense for a question of privacy and also to be more simple to make queries over the traffic that comes from each CMA.

PhoneBoy
Admin
Admin

You can set up a hard-coded filter on the server side for the relevant user.
This will ensure they only will be able to see logs from the relevant gateways;
https://community.checkpoint.com/t5/Management/Limited-Permission-Profile/m-p/32868 

(1)
WarpTeam
Participant

Hello PhoneBoy,

I´ve tried that with the following syntaxe:

<emailServer/>
<_timestamp_><![CDATA[2024-03-12T12:04:00Z]]></_timestamp_>
<filter><![CDATA[orig:FW-1 OR orig:FW-2 OR orig:CLU_FW]]
<field><![CDATA[user]]></field>
<value><![CDATA[silva.af]]></value>
</filter>
</user>
</users>

 

But the user still can see the logs from all the gateways in smartevent.

Any idea?

Thank you.

0 Kudos
PhoneBoy
Admin
Admin

Your syntax is incorrect...you should use origin instead of orig.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events