Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
sajin
Contributor
Jump to solution

Smart Event not showing Accepted Log

Smart Event not showing Accepted and the Clean up rule is ANY ANY ALLOW. 

In the Event when i select the policy package in the filter, the ACCEPT logs shows 0. I changed the Log  to Detailed and Extended and after the Accept log was available but when expanding the logs again it shows only DETECT logs.

Please any one help on this issue.

1 Solution

Accepted Solutions
Dror_Aharony
Employee Alumnus
Employee Alumnus

What Phoneboy suggested is the older but possible option to correlate FW logs into Correlated Events that the SME will show (should work).

the better R80.10 & above alternative option is to generate a 'Session' log from your FW Rulebase policy, as All Session logs are indexed & shown by the SME.

using this method, you can decide which rules specifically to log into Session logs to also get indexed & shown by the SME.

How-To: Relevant rule > Track > R-Click > More > Activate log 'per Session'.

I'd advise to disable the 1st suggested option of activating Consolidated FW Sessions, if you decide on the 2nd Rulebase 'per Session' option, as it only puts an unnecessary load on your SME server to consolidate All FW logs into correlated events.

 

 

 

 

View solution in original post

0 Kudos
11 Replies
PhoneBoy
Admin
Admin
Generally firewall logs are NOT correlated by SmartEvent by default.
They must be enabled in the Event Policy.
sajin
Contributor

Is the above solution works for Rule Name and Rule Number Filter as am not able to filter with these two option.

PhoneBoy
Admin
Admin

You need to ensure Firewall Sessions are correlated (they are not by default).
Click on Logs and Monitor > New Tab > SmartEvent Settings and Policy and enable Firewall Sessions as shown.
Push the Event Policy afterwords.

Capture.PNG

abihsot__
Advisor

Hello,

I did it as per screenshot, however I don't see any events from firewall blade.  Am I missing something more? 

PhoneBoy
Admin
Admin
What is it that you're actually trying to get from SmartEvent related to these logs?
0 Kudos
Mark_Metry
Employee
Employee

Does this setting have any effect if enabling in a completely R80 environment? Is it possible, in all R80 environment, to have Firewall logs with type:Control processed by SmartEvent?

0 Kudos
PhoneBoy
Admin
Admin

What are you hoping to get out of those logs in particular?
Yes, the only way they'd get processed by SmartEvent is if that option is enabled.

0 Kudos
Mark_Metry
Employee
Employee

For example, I would like to trigger a correlated event when there is a cluster failover (those logs have type=control).

0 Kudos
tpoole_global
Employee
Employee
SE does not correlate standard fw logs by default.
Dror_Aharony
Employee Alumnus
Employee Alumnus

What Phoneboy suggested is the older but possible option to correlate FW logs into Correlated Events that the SME will show (should work).

the better R80.10 & above alternative option is to generate a 'Session' log from your FW Rulebase policy, as All Session logs are indexed & shown by the SME.

using this method, you can decide which rules specifically to log into Session logs to also get indexed & shown by the SME.

How-To: Relevant rule > Track > R-Click > More > Activate log 'per Session'.

I'd advise to disable the 1st suggested option of activating Consolidated FW Sessions, if you decide on the 2nd Rulebase 'per Session' option, as it only puts an unnecessary load on your SME server to consolidate All FW logs into correlated events.

 

 

 

 

0 Kudos
abihsot__
Advisor

Very nice! This is exactly what I wanted. Now in SmartEvent I can see statistics of how many connections were made and how much data was transferred. Thanks!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events