This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vengatesh_SR
Contributor
‎2018-08-08 12:21 PM
Jump to solution

Gateway cli login logs

Hi Guys,

1) We having the MDS setup and tacacs enabled on it.

2) Whenever the users are logged into gateway cli we are unable to see the logs in the smart view tracker --> mgmt tab.

3) Earlier it was reflecting with the information when the user logged and what the users have changed it on the cli.

4) Now we can see only the login and logout logs for the smart console not for the gateway cli.

5) we are using r77.30

Is the any way we can t.shoot it ?

1 Solution

Accepted Solutions
JozkoMrkvicka
Authority
Authority
‎2018-08-08 12:53 PM
Jump to solution

You will see in mgmt tab only logs related to MDS / CMA (for example policy push, creation/modification/deletion of rule, ...).

If you want to see what happened on CLI of gateway, check /var/log/messages.

For login (authentification) logs, check /var/log/secure.

Kind regards,
Jozko Mrkvicka

View solution in original post

11 Replies
JozkoMrkvicka
Authority
Authority
‎2018-08-08 12:53 PM
Jump to solution

You will see in mgmt tab only logs related to MDS / CMA (for example policy push, creation/modification/deletion of rule, ...).

If you want to see what happened on CLI of gateway, check /var/log/messages.

For login (authentification) logs, check /var/log/secure.

Kind regards,
Jozko Mrkvicka
Maarten_Sjouw
Champion
Champion
‎2018-08-08 01:22 PM
In response to JozkoMrkvicka
Jump to solution

Only problem with the /var/log/messages file is the size and  the number of saved revisions, which defaults to 64KB and 4 files. This can be easily adjusted with the command:

      /bin/log_start limit 0 8388608 10

This will set the filesize to 8MB and the number of files to 10.

you could use the followinf command to display all login and logout entries:

      cat message* | grep User

Regards, Maarten
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2018-08-08 01:31 PM
In response to Maarten_Sjouw
Jump to solution

Or configure syslog server and send all syslog messages to it for further checks and better solution (filtering based on facility or severity).

Kind regards,
Jozko Mrkvicka
0 Kudos
Vladimir
Champion
Champion
‎2018-08-08 01:28 PM
Jump to solution

Try:

Vincent_Bacher
Advisor
Advisor
‎2018-08-08 01:41 PM
In response to Vladimir
Jump to solution

And maybe customize syslog as per sk92798 might be useful?

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Vladimir
Champion
Champion
‎2018-08-08 02:02 PM
In response to Vincent_Bacher
Jump to solution

Possibly, but I'm not sure how: The solution does allow for creation of additional syslog facilities and adjustments to the logs written to those, but I do not know how to specify which facility will be writing those messages to the CPlog.

0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2018-08-08 02:05 PM
In response to Vladimir
Jump to solution

If i have time, I'll test in my VM lab environment.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Vladimir
Champion
Champion
‎2018-08-08 03:03 PM
In response to Vincent_Bacher
Jump to solution

Thanks! Let us know what you'll find out.

0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2018-08-08 11:31 PM
In response to Vladimir
Jump to solution

That works partially. Just added a line to /etc/syslog.conf

user.info                       /var/log/messages

Log in is logged (log out as well)

Time:                   2018-08-09T06:17:57Z
Id:                     0a012804-8d8e-b307-5b6b-f8b500280000
Id Generated By Indexer:true
First:                  true
Sequencenum:            2
Default Device Message: <86>sshd[12082]: pam_unix(sshd:session): session opened for user admin by (uid=0)
Facility:               security/authorization messages
Syslog Severity:        Informational
Product Category:       OS
User:                   admin
Login Status:           succeeded
Action:                 Log In
Type:                   Log
Blade:                  Linux OS
Origin:                 gw
Product Family:         Network

and i see clish activity, for instance when deleting a route

Time:                   2018-08-09T06:18:26Z
Id:                     0a012804-8d0e-b407-5b6b-f8d20018000e
Id Generated By Indexer:true
First:                  true
Sequencenum:            2
Default Device Message: <13>clish[12138]: cmd by admin: Processing : set static-route 1.2.3.4/32 nexthop gateway address 1.1.1.1 off (cmd md5: 95155c9669bb592dc869622678b8c821)
Facility:               user-level messages
Syslog Severity:        Notice
Type:                   Log
Blade:                  Syslog
Origin:                 gw
Product Family:         Network
Description:            

but i don't see expert level activity. Just set an interface down using ifconfig and up again and nothing is displayed in syslog/SmartLog.

Don't know if more can be enabled, was just a quick test, cause i was interested.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
B_P
Advisor
‎2018-12-26 09:51 AM
In response to Vladimir
Jump to solution

Is there a way to search SmartConsole for specific changes? For example, I changed a DNS entry via Gaia web and I can see it logged in SmartConsole, but I can't return the specific log via any kind of specific search -- i.e. my username, or "DNS" or anything really.

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2018-08-08 10:20 PM
Jump to solution

How to export syslog messages from Security Gateway on Gaia OS to a Log Server and view them in Smar... 

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events