cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Nickel

Smartevent not showing any allowed traffic. Only dropped and detected

Blew away our old Smartevent server yesterday and built a new one running R80.10. Fresh install.

Running a separate management and Smartevent server

Did the SIC, licensing, install database and let it do it's thing.

 

I seem to be getting logs but the accept logs stopped after a day. I had run some commands to import the previous months logs. Changed the $INDEXERDIR/log_indexer_custom_settings.conf to that it would index 28 days.

Today I wiped it and tried again. Figured I messed something up on it which caused the stoppage.

Setup went fine with no errors. Hooked up to MGMT server and logs are importing. Problem is that only drop and detect logs are entered again. No allowed logs.

 

Any idea on how to get the other logs to show up?

2222.png1111.png

 
 

 

 

0 Kudos
2 Replies
Highlighted

Re: Smartevent not showing any allowed traffic. Only dropped and detected

I would suggest to involve TAC here - it should easily be resolved in a quick RAS...

Nickel

Re: Smartevent not showing any allowed traffic. Only dropped and detected

Problem Solved

 
I did some googling and eventually came across this.
 
Deploying SmartEvent

SmartEvent Server is integrated with the Security Management Server architecture. It communicates with Security Management Log Servers to read and analyze logs. You can enable SmartEvent on the Security Management Server or deploy it as a dedicated server.

You can deploy R80 SmartEvent on a dedicated server and connect it to Security Management Servers or Multi Domain servers of version R77.xx (or earlier). This lets you extend an R77.xx environment with the new capabilities of R80 SmartEvent.

Only a Security Management Server can also work as a SmartEvent Server. In a Multi-domain environment, you must install SmartEvent on a dedicated server.

Note - For R80, SmartReporter functionality (to generate reports on firewall and VPN activity) is integrated into SmartConsole. To enable this functionality, activate the firewall session event on the SmartEvent Policy tab. Select and enable Consolidated Sessions > Firewall Session. 

 
 
That fixed it.
 
 
It also explains why I got some logs previously which then stopped. I had enabled everything on the policy tab and ended up disabling this one when it caused a ton so spam. 
I guess it needs to stay on but just not send me mail. lol.
 
Either way things are working fine now. 
 

 

0 Kudos