This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Scottc98
Advisor
‎2023-11-14 09:40 AM
Jump to solution

SmartEvent on Management HA - Logging question

I have a few questions regarding Smartevent running on a Management HA setup (Smart-1 appliances).

Summary

  • Two Smart-1 5150 appliances in Management HA  
    • One of which "appliance A" (primary) is running Smartevent + Correlation and logging
      • Smartevent activated this morning
    • The other "appliance B" (secondary) is secondary management + logging
  • For logging, the GWs in the field are split on the 'primary/secondary' logging
    • 50% have appliance "A" has their primary logging, with appliance 'B' as the backup
    • 50% have appliance "B" has their primary logging, with appliance 'A' as the backup
    • This was done to maximize the log storage and spread the load.

 

Questions

  1. Will there be any issues with Smartevent views or reports for GW logs on the secondary box?
    1. Since the primary logs for those GWs sit on that box itself
  2. Is there anything needed on the secondary post activation needed to synch up?
    1. Is there a requirement of a "install database" on just the Smart-1 we activated Smartevent on or was it also required on the secondary?

It 'feels' like the views and reporting here isn't showing all of the GWs and wasn't sure if it was something missed here or if this not allowed by some design (i.e  Smartevent required to be on its own server to see any other logs outside of "appliance A" here.

 

My past experience has been  just standalone Smart-1 (no HA) or case where we had a standalone logger + Smartevent VM and a Management VM (which also was the secondary logger).    Both cases i haven't seen any issues.  

I wasn't sure if this is something I just need to provide some time to gather since we just activated it this a few hours back but wanted to make the ask now to see if there was any CP or community feedback known just in case 😉

 

Thanks in advance 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-11-14 04:44 PM
Jump to solution

In a Management HA environment, it is only supported to enable SmartEvent on the Primary.
A separate server is recommended.
See: https://support.checkpoint.com/results/sk/sk25164 

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
‎2023-11-14 04:44 PM
Jump to solution

In a Management HA environment, it is only supported to enable SmartEvent on the Primary.
A separate server is recommended.
See: https://support.checkpoint.com/results/sk/sk25164 

emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-11-14 10:07 PM
Jump to solution

1.1: No, SME will correlate logs from all the log servers you tell it to in the event policy.

2.1: Yes, the secondary needs an install database so it knows about SME being active on the primary.

0 Kudos
Tomer_Noy
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-11-15 01:40 AM
In response to emmap
Jump to solution

Indeed, as answered above, the setup should work and SmartEvent should read the logs from the secondary MGMT (which is also a log server).
Also, Install DB is needed on both machines.

Another useful tip is that if you want to leverage both machines and spread the logs without manually defining groups of gateways that log to different servers, you can leverage the Log Distribution feature. It's a simple checkbox in the Logs page of the gateway object (where you set the log servers) and it will cause the gateway to "load balance" the log servers and split the logs between them. The balancing is automatic so if one server is too loaded, more logs will be sent to the other.

Also, if one log server goes down, all logs will automatically be sent to the other. In terms of capacity though, you need to make sure that one log server is sized to handle the entire estate, if you need to be able to function properly in case one server is down.

0 Kudos
Scottc98
Advisor
‎2023-11-15 07:09 AM
In response to emmap
Jump to solution

@emmap 

Ah....

On point #1, are you refering to within the smartevent console and going to "general settings => Initial Settings => correlation Units" and adding in the 2nd logger/management server?

Right now, its just the main logger/management where we installed Smartevent.  

 

On #2, we did 'install database' on both during implementation.     If #1 is correct, will that be required again or will it just require the publish of the smartevent policy?

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-15 10:01 AM
In response to Scottc98
Jump to solution

If you're changing if SmartEvent is running on a given node, an Install Database is probably necessary. 

0 Kudos
Scottc98
Advisor
‎2023-11-15 10:35 AM
In response to PhoneBoy
Jump to solution

Changing on where Smartevent is running is not concerned.   The SK you provided earlier clarifies that....thank you 🙂

The concern I have to date is the lack of logs from the 2nd logger.   The install of Smartevent and the correlated units took care of the main server.   I just need to understand if the missing step mentioned on the 2nd one is where I am missing the piece.

 

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_LoggingAndMonitoring_AdminGu...

From the logging guide and Smartevent, it mentions this portion that seems related to my issue:

*****

 

Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit

  1. Open the SmartEvent GUI:

    1. In SmartConsole > Logs & Monitor, click + to open a catalog (new tab).

    2. Click SmartEvent Settings & Policy.

  2. In Policy tab > Correlation Units, define a Correlation Unit object.

  3. Select the production Log Servers and local Log Server on the SmartEvent Server to read logs from.

  4. In Policy tab > Internal Network, define the internal Network.

  5. Click Save.

  6. Install the Event Policy

    Scottc98_0-1700073086768.gif

     

     on the Correlation Unit:

    SmartEvent menu > Actions > Install Event Policy.

*******

Under that Correlation units section today, i have the following after the initial install

Correlation UnitLog ServerOrigin Type
Smart1-MainSmart1-MainManually created
   

 

Is this the case where I just need to 'edit' this one correlation unit and add the 2nd log server?

Correlation UnitLog ServerOrigin Type
Smart1-MainSmart1-Main, Smart1-SecondaryManually created
   

 

 

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-11-23 07:39 PM
In response to Scottc98
Jump to solution

Yes you should add the second log server as a place to correlate logs from. You should be find to just do that and install the event policy to get that going, but an install database won't hurt anything.

Scottc98
Advisor
‎2023-11-28 07:35 AM
In response to emmap
Jump to solution

Thanks 🙂 

Its been updated and looks to be reporting properly now.  That was the missing step 😉

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events