Showing results for 
Search instead for 
Did you mean: 
Create a Post
Maik inside Logging and Reporting 18 hours ago
views 137 5

Logging statistics | MDM R80.20 - question regarding the actual rates

Hello guys, I have a question regarding the measurement of incoming logs, let's say some kind of "rate" of logs per second or minute. Related to that I have found two SKs:- sk88681 [How to calculate/count the total amount of FireWall Logs per second that arrive to Security Management Server]- sk120341 [How to monitor the Log Receive Rate on Management Server / Log Server R80 and above] The intersting thing is that both SKs are valid for R80.20 and also apply for MDM environmnets, such as the current case where I want to use this. However; here is the example output of one of my domains: sk120341 output:[Expert@MDMSERVER:0]# cpstat mg -f log_serverLog Receive Rate: 50Log Receive Rate Peak: 4722Log Receive Rate Last 10 Minutes: 57Log Receive Rate Last Hour: 59Log Server Connected Gateways---------------------------------------------------------------------------------------------|Name |State |Last Login Time |Log Receive Rate|---------------------------------------------------------------------------------------------|Local Clients |Connected|N/A | 0||VSX-GW-A|Connected|Wed Aug 14 10:57:19 2019 | 0||VSX-GW-B|Connected|Fri Aug 9 11:28:53 2019 | 50|--------------------------------------------------------------------------------------------- sk88681 output:[Expert@MDMSERVER:0]# ls -l fw.logptr ; sleep 180 ; ls -l fw.logptr-rw-r--r-- 1 admin root 18895720 Sep 19 12:18 fw.logptr-rw-r--r-- 1 admin root 18972856 Sep 19 12:21 fw.logptr(18972856 - 18895720) / (4* 180) = about107 I have run these commands in the related management domain (switched via mdsenv) - however the results are kinda different. The output of sk88681 seems to be more correct as lots of connections pass through the gateway. But how does the first output lists only about 50 logs per second and the second one more than 100? I guess the "log receive rate" of the cpstat mg command also references to logs per second. Where is the difference between both? And why does the cpstat command also tell that "Log Receive Rate Last 10 Minutes" is just 57. That's definitely not the case or do I mix something up in this case?Also a different question regarding log file movement. Is it save to move e.g. the following files from /CPsuite-R80.20/fw1/log to a different system in order to save them as a backup? Or do I have some negative impact on the management server if I'm going to remove these files?2018-11-10_000000.adtlog2018-11-10_000000.adtlogaccount_ptr2018-11-10_000000.adtloginitial_ptr2018-11-10_000000.adtlogptr2018-11-10_000000.logI have the requirement to move all log entries which are older than 3 months to a different system - or even delete them. As far as I know this option is not possible via the SmartConsole itself (only via a script that checks the timestamp of files in the log dir and removes them if they are older than three months). Or are there other ways in order to achieve the described goal? Currently thinking about a cronjob that runs each night, which looks for log files older than x days and removes them. But still - I am not sure if this method is "clean". Thanks and best regards,Maik  
resu inside Logging and Reporting 20 hours ago
views 73 2

Log query R80.10

I would like to run a query (something like NOT action:drop) on a list of unique IP addresses. I've looked through documentation and tried IP's with a space between, with "AND" (no quote marks) between. Neither worked. Any advice is appreciated.
kobilevi inside Logging and Reporting yesterday
views 83 2

Smart event script reactions

hello  im using smart event console to reaction the event and make some changes in my organization.  as i see there is option to "external script"have some examples to scripts ?  tanks
David_Won inside Logging and Reporting Friday
views 80 1

Smartevent upgraded to R80.10: Now how do I exclude alerts?

Upgraded our Smart Event server yesterday from R77.30 to R80.10.Lost all of our config unfortunately so now I have to put all of our exclusions in and whatnot. The problem is that in the old version I could just select an alert from the Smartevent client and then say to exclude or create an exceptioon. I can't find this anywhere int he new version. I found where to click to bring up the event policy editor but that's not what I'm looking for. I want to be able to click on the alert and change it. Having to manually enter in all of the details is a step backward from where we were at. 2nd question. What happened to the ticketing system. I used to close out events from my timeline by closing the ticket. That way the other sysadmins would know it's taken care of. I can't find this functionality anywhere.
Dale_Lobb inside Logging and Reporting Friday
views 101 4

SmartView and SmartLog idiosyncrasies

Fairly frequently, I see spurious results in the log listing to a simple query in SmartView and SmartConsole's SmartLog function.  Specifically, a query with a simple source and destination selected will include a few log entries that do not match the query.  The same query will produce this result in both tools.  Here's an example. Notice the entry in the selector and detailed at right does not match the simple selection criteria. 
Ankur_Datta inside Logging and Reporting Friday
views 87 1 1

Log exporter send logs in UTC time zone to syslog server

Hi All, We configured log exporter on our MLM and send logs of all CLM to syslog server. On checking on syslog server we found out logs are coming in UTC Time zone. I gone through sk133472 and not able to understand the last two lines. "The CP Log Server can send logs to syslog in different timezone, and it needs to be UTC so target Log Server can convert it to the local timezone.This is also how Splunk and other SIEM vendors behave."Is this means we need to send logs through log exporter in UTC time zoneWe are using IST time zone.  Please guide.
apara inside Logging and Reporting Friday
views 69 1

Checkpoint VSX log don't filter the origin virtual system name

Checkpoint VSX log don't filter the virtual system name origin, if i search for destination and/or source i see the gateway name on origin, but if i want use the filter on Origin, i don't find the virtual systemIt's Gaia 80.30What could be the problem? 
rajesh_s inside Logging and Reporting Thursday
views 19199 16 8

Checkpoint Gateways are not sending the logs to Checkpoint management server

Hi All,We are using Checkpoint R77.30 firewall, Gateways are not sending the logs to Checkpoint management server, Is anyone has similar issue?.
inside Logging and Reporting Wednesday
views 2489 5 6

Log Exporter - Splunk Integration Update

Hello Everyone,We are currently in advanced stages of developing a Log Exporter update that will add CIM support.This will give us better Splunk integration for CIM oriented apps and dashboards (e.g. Splunk Enterprise Security). We are currently looking for customers who wish to test this new feature (in either their lab or production) and share their feedback with us. I would also really appreciate if in your email you could also add the following details:what version of Check Point do you use? And what version of Splunk server?Is your Splunk environment installed as a single-instance or is it a distributed environment?Have you already tested out previous releases of the Log Exporter or is this your first use of the add-on?       The new update will also enable the Log Exporter to work in a semi-unified mode.For those who are unfamiliar with this setting, it means that updates are unified with their original log before they are exported. This makes the information in the update log complete and makes the update log itself more readable (in raw mode you had to manually search for the original log to make sense of the update).Best Regards, Yonatan 
B_P inside Logging and Reporting Tuesday
views 296 8

R80.30 Netflow Setup

Pre R80.10 Netflow worked fine.Now on R80.30 I have two flows that are identical -- but one only shows Outbound and the other only shows Inbound BUT -- and this is perplexing -- it is the exact same traffic for both inbound and outbound flows -- i.e. source and destination are the same.Yes.. let that simmer for a while.I have one rule that's configured on the firewall and it's a rule that a lot of web traffic hits on.I'm using ManageEngine's Netflow Analyzer.For this traffic, I would expect there should be one flow and it should include both inbound and outbound traffic on the one interface (the internal interface it's hitting).
inside Logging and Reporting Monday
views 4403 3 2

How to exclude the SmartEvent object from the SSL Inspection group

Hello All,I'm reviewing sk112814 which explains how to overcome the the following error."SmartView server certificate is invalid" error when opening a new tab in the R80 SmartConsole "logs & monitor" In the solution steps it is said that one should exclude the SmartEvent object from the SSL inspection group, but I haven't found straight forward instructions on how to perform this step online.Any assist with screen shots will be much appreciated.Regards,AdielKobi Eisenkraft‌ 
lajie93 inside Logging and Reporting a week ago
views 123 2

exporting logs from one SMS to another newly created

Greetings,This is my first post here. I really enjoy the community, which posts help me to fix some issues that i was facing.we have a smartevent server  (SMS A) which store logs from installed customers gateways.we project to move systems configuration and logs from the SMS A to the newly installed SMS B but my worry is about exporting can i easily realized it?
Marko_Keca inside Logging and Reporting a week ago
views 4089 8 3

Is there a way to share View created by one user with other users?

I have created custom View and I'm the only admin who can see it.How can I share it with others?Also when I click on Export template, nothing happens.Thanks in advance!Regards,--Marko
quanglnh inside Logging and Reporting a week ago
views 345 11

Checkpoint OPSEC LEA with LogRhythm SIEM

Hi Everyone, I have a Smart-1 5150 device that manage 90 checkpoint gateway. I want to integrated it with LogRhythm SIEM.I was create a host object for LogRhythm SIEM with it IP.I was create a OPSEC Application for it and also pull certificates from Check Point Smart-1 devices.Now i need to provide the information below on LogRhythm SIEM :opsec_sic_name "OPSEC_APP_SIC_DN"lea_server ip IP_ADDRESSlea_server auth_port 18184lea_server auth_type sslcalea_server opsec_entity_sic_name "LOG_SERVER_DN"opsec_sslca_file "C:\checkpoint_config\opsec.p12" "OPSEC_APP_SIC_DN" is the DN name in OPSEC Application which is "CN=LogRhythm-XM,O=CP-Smart1..ksmkv" in my picture. Is this corect ?"lea_server auth_type" is sslca. Is this only 1 type is sslca or any orther type ?"LOG_SERVER_DN" i not sure where to collect this infor ? i going to the web portal of Smart-1 device and see the DN in Certificate Authority tab as below :is this the right DN for "LOG_SERVER_DN". Since Smart-1 devices í manage all orther firewall, the "LOG_SERVER_DN" is the DN of Smart01 device, right ? Cause after configure, i still can't receive any log on LogRhythm SIEM about Check Point OPSEC. Please help me solve this issue. Thanks!
Raj_Khatri inside Logging and Reporting a week ago
views 3697 16 3

How to monitor virtual systems on VSX?

We are running R80 MDS and would like to monitor our VSX clusters that are running R77.20 via Solarwinds using SNMP.  Has anyone had any success getting the virtual systems monitored?  Even after modifying the snmp mode from "default" to "vs" we are unable to poll the virtual system.Could API be used to pull the snmp data?Thanks