This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
GeorgeF
Contributor
‎2023-11-08 10:24 PM
Jump to solution

Missing Logs - track long-lived TCP/IP connection

Hi Experts,

Recently we use TCP connection to forward syslogs from client to server (both are Linux OS). It is interesting that we can see from client and server (by TCPdump command) that the TCP connection is established and syslog data packet were forwarded/received properly.

While on the SmartConsole -> logs , we only see some intermittent logs, which should continuous ?
I thought when the client are forwarding syslogs, the data packet should be continuous( long-lived TCP/IP connection ?) I checked on the client, the logs did generate continuously.

 

I find some info from  https://support.checkpoint.com/results/sk/sk41248  , but it seems not mentioned how to track logs during long-lived TCP sessions.

Is it possible that the logs only track the TCP packet which has SYN ?  

 

Thanks very much 

Best regards

 

0 Kudos
1 Solution

Accepted Solutions
GeorgeF
Contributor
‎2023-11-09 02:35 PM
In response to PhoneBoy
Jump to solution

Hi,

Thanks very much for your reply.

As my understanding, it will generate a log when the TCP session is established. ( Yellow hightlighter)

 

TCP session.png

And if the connection keeps open and keeps forwarding log packets then it won't generate more logs.

Until the server or client initiate "CLOSING THE CONNECTION" , or some Time-Out triggered closing the session.

Next time when a new SYN -> SYN+ACK -> ACK established a new connection with a new source port ,  it will generate a new log.

Is it right ?  I think that would explain the intermittent logs perfectly.

 

Thanks again

 

 

 

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2023-11-09 01:04 PM
Jump to solution

We generate a log upon first connection.
A session may consist of multiple connections (e.g. different elements on a webpage hosted in different places) which will update the existing log entry.
Likewise, if you have Accounting logging enabled or Detailed/Extended logging, the existing entry will update every 10 minutes.
These updates will be sent via Log Exporter as well.

0 Kudos
GeorgeF
Contributor
‎2023-11-09 02:35 PM
In response to PhoneBoy
Jump to solution

Hi,

Thanks very much for your reply.

As my understanding, it will generate a log when the TCP session is established. ( Yellow hightlighter)

 

TCP session.png

And if the connection keeps open and keeps forwarding log packets then it won't generate more logs.

Until the server or client initiate "CLOSING THE CONNECTION" , or some Time-Out triggered closing the session.

Next time when a new SYN -> SYN+ACK -> ACK established a new connection with a new source port ,  it will generate a new log.

Is it right ?  I think that would explain the intermittent logs perfectly.

 

Thanks again

 

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-09 08:25 PM
In response to GeorgeF
Jump to solution

You've got it right.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events