cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Logging and Reporting

Have questions about viewing logs with SmartView, generating reports with SmartEvent Event Management, or exporting logs to a SIEM with Log Exporter? This is where to ask!

sajin
sajin inside Logging and Reporting an hour ago
views 2019 7 1

Smart Event not showing Accepted Log

Smart Event not showing Accepted and the Clean up rule is ANY ANY ALLOW. In the Event when i select the policy package in the filter, the ACCEPT logs shows 0. I changed the Log  to Detailed and Extended and after the Accept log was available but when expanding the logs again it shows only DETECT logs.Please any one help on this issue.
Henning_Aga
Henning_Aga inside Logging and Reporting 5 hours ago
views 683 3 1

Cannot add log server to smartevent

We have configured SmartEvent R80.10 (dedicated) and by following sk110894 gotten av few domains and logs into SmartEvent. (We get the "Correlating logs to events. The log correlation unit is not able to read logs from Log server: . Please run 'cpstat cpsead' " but we see logs and events, so we're assuming this is cosmetic). However, we are _only_ so far able to add logs from domains where the firewall logs to a dedicated log server. If the firewalls in the domain we add log to the management, it does not appear in "General settings -> Inital settings -> Correlation Units -> Add (select domain where firewall logs to managment (not do dedicated log server). Anybody seen anything similar.
Juraj_Skalny
Juraj_Skalny inside Logging and Reporting yesterday
views 274 5 4

DNS Trap Protection

Hello Guys, I would like to follow up on the following posts :https://community.checkpoint.com/t5/Logging-and-Reporting/Threat-Prevention-dns-trap-and-resource-categorization/td-p/18638https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/Some-DNS-request-not-block-by-AV-blade/m-p/26588#M784 What we would like to find out is how log firewalls keeps the information about malicious domain in cache?DNS request is changed for Bogus IP by firewall as long as the malicious domain is in cache.The problem we see is that the cache is maybe too short as "Connection was allowed because background classification mode was set. See sk74120 for more information." for the same malicious domain appears in logs too often.We would expect to see this classification event once and then lots of changes to Bogus IP. But that is not the case.There is no documentation on CP covering this info or how to change it. Or we have just overlooked it.In our understanding this way lots of malicious activities are just allowed only because firewall needs to let go of DNS resolution requests because those needs to be classified in the first place over and over again.         Thanks and regards, Juraj
PeterH
PeterH inside Logging and Reporting Friday
views 55 1

Syslog Parser for Juniper SRX

I tried to parse syslog messges from SRX devices int Check Point SmartLog.The following fields are working well:Time: Blade:Origin:Action:Source:Destination Now I would like to integrate also the service as well the the whole NAT xlates.The syslog stream looks like this: RegardsPeter  
Michal_Gans
Michal_Gans inside Logging and Reporting Friday
views 87 3

Export log from ChP EndPoint management to central ChP management by Log Exporter

Hi,Customer have two MultiDomainManagementServers to control all ChP gateways, this two MDSs are connected with SmartEvent. He also have one SingleDomainManagement just for EndPoint security. I would like to start forwarding all logs from SDM to MDM (specific CMA). Something similar is described in sk35288, but it's not the same and it's not very elegant way to do it. I would prefer to use Log Exporter for it but TAC told me, that this is not supported solution. To be honest I don't understand why, management already can receive syslog so it's all about sending it in right format (should be easy to implement it to Log Exporter).  I would like to know, if anyone of you have similar problem as I have and if so how you solved it.  
Bishal_Upadhyay
Bishal_Upadhyay inside Logging and Reporting Friday
views 1856 13 3

Smartview stuck as loading smartview.. in R80.20

Smartview is not working in new tab of Logs, also it is not loading with https://<Mgmt IP>/smartview.The warning appears which is attached herewith.We are running distributed architecture with firewalls on high availability and running Gaia OS R80.20.We tried disabling and enabling Smart Event blades on Mgmt. Also tried evstop and evstart; and also $RTDIR/scripts/stopSmartView and $RTDIR/scripts/startSmartView
israelgl
israelgl inside Logging and Reporting Thursday
views 81 2

Report\View - unable to filter ssh_version_2 service

hey alli tried to create a report on ssh_version_2 traffic and unable to filter it.when i filtered by ssh, i only saw SSH v1 traffic that was blocked because SSH v1 are not allowed by policy.but no mater how i tried to filter the report to all SSH traffic or ssh_version_2 traffic, i didn't get any results of ssh version 2.in the logs i see the ssh_version_2 logs, and i can filter the log by this service.any idea why it's acting like this?  
Dan_Zada
inside Logging and Reporting Thursday
views 2567 30 9
Employee+

Log Exporter Filtering

Hello all,I'm happy to inform you that we added a new feature to the log exporter - the ability to filter logs.Starting today, you will be able to configure which logs will exported, based on fields and values, including complex statements.More information, including basic and advanced filtering instructions, can be found in SK122323.If you have any question or comment, let me know.Thanks!Dan.
brk_01
brk_01 inside Logging and Reporting Wednesday
views 114 2

fw monitor - traffic dropped after i

I have ike (udp/500) traffic coming, and it's getting dropped after i in fw monitor.Log show that it was being dropped due to CPearlydrop.. changed early drop optimization to 0 so I can see it in the logs, and it's just bypassing my rule and hitting the default drop any.[vs_0][fw_33] eth1-01:i[492]: x.x.x.x  -> y.y.y.y (UDP) len=492 id=30892UDP: 500 -> 500[vs_0][fw_3] eth1-01:i[492]: x.x.x.x -> y.y.y.y (UDP) len=492 id=31502UDP: 500 -> 500my rule, i'm allowing x.x.x.x to y.y.y.y (which is static NAT), with IKE, gIKE, udp/500, udp/4500 all allowed.Can't figure out what I'm missing here. 
Marek_Pietrulew
Marek_Pietrulew inside Logging and Reporting Wednesday
views 2228 7 6

CPview and Top-connections in R80.20

Hi,We recently upgraded from 80.10 to 80.20 and noticed that BW Top-Connections view has been removed from Cpview. There is only top-connections information in regards to CPU utilization.Where can we quickly get BW top-connections info in R80.20 from cli?Regards,Marek
Rodarcqu
Rodarcqu inside Logging and Reporting Wednesday
views 203 4

vlan consumption customer report

 Hello, Am trying to create a custom report with the ip range 10.10.3.0/24 I want to see all that was consumed during a month by that network is that possible?  I do not want take just one sample I want it takes all the resources that consumed the network traffic during a month and show them all of them in a single column not just a sample.    Best Regards,
Danish_Javed1
Danish_Javed1 inside Logging and Reporting Tuesday
views 165 2

Checkpoint Integration with Solarwinds

Hello,I have 2 CP 5900 GWs in VSX managed by SmartConsole .. OS is R80.10.I am trying to integrate these with Solarwinds .. i have enabled vs mode in each gateway SNMPv3 configuration. However, i can not see and VS specific data in solarwinds.. nor the VS interfaces .. only Gateway interfaces are visible. am i missing something with the configuration ? Thanks
Ni_c
Ni_c inside Logging and Reporting Monday
views 3296 8 1

MAC Info is missing in Log Profile

Hi Mates,I have a problem seeing MAC address information in the Logs though MAC address feature is added to the profile. Could anyone help me finding it or if I missed anything in here. Thanks in advance. 
custodio_khho
custodio_khho inside Logging and Reporting Monday
views 161 1

Meaning of "0" in xlate fields

I have received a logs which record an outgoing connection from my network.The log entry looks like this: "time=1573109409|hostname=xxxxx| .... |version=5|dst=23.227.38.64| .... |action=accept| .... |proto=6|s_port=43953|service=80|service_id=http|src=192.168.10.130|xlatedport=0|xlatedst=0.0.0.0|xlatesport=0|xlatesrc=192.200.135.180|"  I have valid value for xlatesrc meaning NAT is properly done.I have I see xlatesport as '0' which does not make sense.Can someone enlighten when I will see a value of xlatesport=0.Thanks.
Keld_Norman
Keld_Norman inside Logging and Reporting Monday
views 15739 11 9

How to add a new disk and expand the log file system

Here is a small guide on how to add a new disk >2 TB to your firewall and expand the size of /var/logCheck for if we are running a 64 bit kernel (it is needed for handling >2TB disk sizes)[Expert@firewall:0]# uname -aLinux firewall 2.6.18-92cpx86_64 #1 SMP Sun Jan 21 10:26:26 IST 2018 x86_64 x86_64 x86_64 GNU/LinuxList the disks.. List the disk with fdisk -l or parted -l[Expert@firewall:0]# parted -lModel: Msft Virtual Disk (scsi)Disk /dev/sda: 100GBSector size (logical/physical): 512B/512BPartition Table: msdosNumber Start End Size Type File system Flags 1 32.3kB 313MB 313MB primary ext3 boot 2 313MB 8900MB 8587MB primary linux-swap 3 8900MB 107GB 98.5GB primary lvmModel: Msft Virtual Disk (scsi)Disk /dev/sdb: 34.4GBSector size (logical/physical): 512B/512BPartition Table: msdosNumber Start End Size Type File system Flags 1 65.5kB 34.4GB 34.4GB primary ntfsModel: Msft Virtual Disk (scsi)Disk /dev/sdc: 4295GB <-- THIS IS THE NEW DISK Sector size (logical/physical): 512B/512BPartition Table: gptNumber Start End Size File system Name Flags 1 1049kB 4295GB 4295GB primary lvmNow to the LVM part..Prepare the new disk to be used in LVM using the parted utility[Expert@firewall:0]# parted -s /dev/sdc mklabel gpt[Expert@firewall:0]# parted -s /dev/sdc unit mib mkpart primary 1 100%[Expert@firewall:0]# parted -s /dev/sdc set 1 lvm on[Expert@firewall:0]# # Ask the kernel to re-read the partition table[Expert@firewall:0]# partprobeOne could skip this step of creating a logical volume and just add the "lvm physical disk" created in the next step, but I do it this way to ensure there is information on the disk (about it is used) so when other sysadmins or tools list the disk they can see the partition on the disk instead of a disk that appears empty ..  this might stop them from assume it is "free" to use. Creating the LVM disk and add it to the existing volume group[Expert@firewall:0]# # Tag/prepare/reserve the disk so it can be used in the LVM/VG[Expert@firewall:0]# pvcreate /dev/sdc1[Expert@firewall:0]# # Then add the new LVM disk to the volume group [Expert@firewall:0]# vgextend vg_splat /dev/sdc1 Now I will list the current location of /dev/vg_splat/lv_log (that is where the /var/log file system resides) and see where the data is placed on the two disks I now have in the volume group vg_splat.My goal is to have the log file system reside on the new disk only and not on the OS disk..List the current location of the /var/log file system (the lv_log logical volume)[Expert@firewall:0]# lvs -o +devices # use "pvdisplay -m" for more detailed view  LV         VG       Attr   LSize  ...  Devices        lv_current vg_splat -wi-ao 20.00G      /dev/sda3(0)   lv_log     vg_splat -wi-ao 63.00G      /dev/sda3(640) <- Now we want to move this data to sdc1(The above command shows that lv_log resides on the disk sda partition 3 (/dev/sda3) and we want to move it to the new disk called sdc.)Now lets move the existing /var/log data residing on the same disk as the operative system to speed up the I/O and to ensure we only allocate data for log files on the new disk. We can do this in the background without blocking existing I/O during the move. I would recommend doing this in the background by adding the extra option "--background". That way you could also just disconnect the secure shell session and not need to wait for the command to finish (it could take hours to finish)Move the existing log file system from the system disk to the dedicated logfile disk (shown as a forground process)[Expert@firewall:0]# # NB: I recommend adding the extra option --background to the below command [Expert@firewall:0]# #                       Move [FROM disk] [TO disk][Expert@firewall:0]# pvmove -n /dev/vg_splat/lv_log /dev/sda3 /dev/sdc1  /dev/sda3: Moved: 0.6%  /dev/sda3: Moved: 1.4%  ...  /dev/sda3: Moved: 100% Then verify that the data has been moved correctly..List the location of the logical volumes again on the PV disks.[Expert@firewall:0]#lvs -o +devices  LV         VG       Attr   LSize  Origin Snap%  Move Log Copy%  Devices      lv_current vg_splat -wi-ao 20.00G                               /dev/sda3(0)  lv_log     vg_splat -wi-ao 63.00G                               /dev/sdc1(0) <-- Perfect  (the above command shows that lv_log only resides on /dev/sdc1 now)Now I want to expand the file system on THE NEW DISK only.TIP:When you expand a filesystem on a logical volume you can utilize all the free space by using  "100%FREE" (without the quotation)  instead of my example below where I use  "+3910G" .. so lets expand the logical volume with /dev/sdc1 as an option.Extend the log file system to utilize the new space[Expert@firewall:0]# lvextend -L +3910G /dev/vg_splat/lv_log /dev/sdc1   Extending logical volume lv_log to 3.88 TB  Logical volume lv_log successfully resizedThe we resize the file system to fit the logical volume..Resizing the file system[Expert@firewall:0]# resize2fs /dev/vg_splat/lv_logresize2fs 1.39 (29-May-2006)Filesystem at /dev/vg_splat/lv_log is mounted on /var/log; on-line resizing requiredPerforming an on-line resize of /dev/vg_splat/lv_log to 1041498112 (4k) blocks.The filesystem on /dev/vg_splat/lv_log is now 1041498112 blocks long. Check that data still resides on /dev/sdc1 for lv_logList the LVM / PV location again..[Expert@firewall:0]# lvs -o +devices  LV         VG       Attr   LSize  Origin Snap%  Move Log Copy%  Devices      lv_current vg_splat -wi-ao 20.00G                               /dev/sda3(0)  lv_log     vg_splat -wi-ao  3.88T                               /dev/sdc1(0) An extra check to see the file system size in human format (-h) Verify that the log file system had been expanded[Expert@firewall:0]# df -h /var/logFilesystem                       Size  Used Avail Use% Mounted on/dev/mapper/vg_splat-lv_log      3.8T   40G  3.6T   2% /var/log An extra check to ensure we can write/read the filesystem..Verify that the system can write to the file system[Expert@firewall:0]# touch /var/log/deleteme && ls -al /var/log/deleteme && rm /var/log/deleteme-rw-rw---- 1 admin users 0 Oct 22 13:42 /var/log/deleteme[Expert@firewall:0]# ls -al /var/log/deletemels: /var/log/deleteme: No such file or directory That's it  A "Quickie" to run in expert modeparted -s /dev/sdc mklabel gptparted -s /dev/sdc unit mib mkpart primary 1 100%parted -s /dev/sdc set 1 lvm onpartprobepvcreate /dev/sdc1vgextend vg_splat /dev/sdc1pvmove --background -n /dev/vg_splat/lv_log /dev/sda3 /dev/sdc1 lvextend -L +3910G /dev/vg_splat/lv_log /dev/sdc1 resize2fs /dev/vg_splat/lv_logThe end