cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Logging and Reporting

Have questions about viewing logs with SmartView, generating reports with SmartEvent Event Management, or exporting logs to a SIEM with Log Exporter? This is where to ask!

pmetridis
pmetridis inside Logging and Reporting Friday
views 102 3

OPSEC LEA Permissions

Dear all , I would like to ask if anyone knows the access that potentially could have an OPSEC LEA client to SMS Gateway . Except the LEA Permissions TAB to the OPSEC Application Properties , where else i can find what kind of permission the remote client has when you configure it as OPSEC LEA Appl . Is it trusted to allow external partner  like Siem Vendor ,  to communicate with OPSEC LEA to the SMS server ? As you understand the SMS server has all the critical information like policies , etc.  Any other link , pdf , doc to read would be helpful  Thanks in advanced Makis 
Martijn
Martijn inside Logging and Reporting Friday
views 208 3

GRE traffic not shown in log

Hi all,Two weeks ago, I migrated a R77.30 cluster on 12200 appliances to a R80.30 cluster on 6500 appliances. Installed jumbo hotfix is take 111.It was an advanced migration, so we installed a new SmartCenter, exported the database from R77.30 to R80.30 with the R80 migration tools and imported the database with the same migration tools. Rule base, IP interfaces and routes did not changed. Also nothing was changed on the network.The migration was successful and no problems where reported. But we have one strange issue with the log of GRE tunnels. Customer has several GRE tunnels passing the Check Point gateway (so Check Point is not an endpoint for these GRE tunnels) and these GRE tunnels are working fine.  But we do not see any logs regarding GRE in SmartLog. Even when the GRE tunnel is initiated again. We can see the traffic with tcpdump and fw monitor, but SmartLog remains empty.When we look at SmartLog from the old R77.30 environment (we still have access to the old SmartCenter) we can see logs regarding GRE. Has anyone seen this before on R80.30? I have a case open with Check Point support, but the chances are we need to run a debug and initiate the GRE tunnel again. And initiating the GRE tunnel causes a big impact on the customers processes.So I hope one of you has seen this before and has a solution that does not involve initiating the tunnel again.Thanks.Regards, Martijn. 
DH_ND
DH_ND inside Logging and Reporting Thursday
views 230 7

CP log Export issues

HI Checkmates Can someone help. I have two manager with the same subnet and environment within Azure. 1st managing Azure gateways on R80.30 and 2nd managing on prem gateways on R77.30. We use cp_log_export on both to send logs to a collector.2nd has been recently added using the same configuration as the first (this config was the same when the manager was on premise on R77.30. cp_log_export add name ****** target-server x.x.x.x target-port 514 protocol tcp format leefAll looks good except the collector isn't seeing the logs being sent it only sees the two way communication from manager to collector.difference between the two is the 2nd has the following lines below. The worker has both these values set to trueexport-link: falseexport-attachment-link: false1st is workingname: ******enabled: truetarget-server: x.x.x.xtarget-port: 514protocol: tcpformat: leefread-mode: rawexport-link: Foundexport-attachment-link: Found2nd is NOT workingname: ******enabled: truetarget-server: x.x.x.xtarget-port: 514protocol: tcpformat: leefread-mode: rawexport-link: falseexport-attachment-link: false Does anyone have any idea what could be causing this. We have full comms from both to the collector. Thanks   
Moe_89
Moe_89 inside Logging and Reporting Thursday
views 3634 7

Remote VPN users report

Hello,Is there a way to export a list of Remote VPN users in the local MGMT database which includes last login time etc. ?Something similar to fwm dbexport.
ED
ED inside Logging and Reporting Wednesday
views 241 6 1

SG cluster not sending logs to SMS

Hi,R80.30 environment. SG cluster is not sending logs to SMS.  Steps that I have done in troubleshooting: Installed database in SmartConsole.Installed policy several times.Changed the SG to log locally, installed policy and then reverted to sending logs again to SMS in SmartConsole.Rebooted the cluster that don’t send logs to the SMSDisk space is checked on SMS and is fine.Checked that security gateway is configured to send logs to SMS in SmartConsole.SIC communication is fine and communicating.Ping from SMS to SG works fine. The other way too.Checked that the SMS is listening on port 257. No connection from the cluster SG seen there.Checked if any logs are coming from the SG to the SMS on port 257 with tcpdump on the interface. No logs there.The active firewall log file fw.log is growing on the SG. Checked with the command watch -d -n 2 "ls -l $FWDIR/log/fw.log"Checked the masters file on the SG and it is set to log to the SMSSo are there anymore suggestions in troubleshooting this issue? Could it be that the last step (that I didn't do), the active firewall log file fw.log might be corrupted on the SG?   
Fred_Howard
Fred_Howard inside Logging and Reporting Wednesday
views 3383 10

SmartLog only shows 3 days of logs.

I cannot query any logs older than 3 days.  df -h showed 99% in var/log, I have adjusted settings to delete files and got it to 83%, still no change.  
peter_schumache
peter_schumache inside Logging and Reporting Tuesday
views 249 3

Filter Logs by geo location

Is there a way to filter my Check Point logs e.g. Destination IP by Geo-Location?
mortiis
mortiis inside Logging and Reporting a week ago
views 220 3

[R80.20] smartview on dedicated server

Hi All 🙂 In my CP topology, I have dedicated server for management (for example 10.1.1.101) and dedicated server for smartevent (for example 10.1.1.102).I would like to grant access to smartview for my colleagues but only via web browser and only to 10.1.1.102 (https://10.1.1.102/smartview/). To achieve that, I created a new gaia user on 10.1.1.102 server where I have smartevent installed and attached this new user to monitorRole. Authentication is done by tacacs.Unfortunately, this config doesn't work, I received "Authentication to server failed".I assume, that something is wrong with my CP configuration, because I don't see any events on my tacacs server.Did I miss something in configuration? Thank you in advance!
Michael_Horne
Michael_Horne inside Logging and Reporting a week ago
views 520 6 1

Traffic dropped with message information: "Rulebase Internal Error"

Hello, We have are having some traffic that is being dropped with the message information: "Rulebase Internal Error"As of yet I have not found any information related to what this message and how it can be remedied.Normally this traffic should be allowed, but because of the issue, it appears the traffic is being dropped.Has anyone have any information that might help in resolving this or might aid the invesitgation?Many thanks,Michael
MIchael_Hovis
MIchael_Hovis inside Logging and Reporting 2 weeks ago
views 1229 8 2

Export Logs To LogRhythm using Log Exporter

Has anyone used Log Exporter to export logs to LogRhythm?  I have a Check Point managment server that is also the log server running R80.20.  I've configured Log Exporter and am sending logs to LogRhythm using the CEF format.  However, LogRhythm says they cannot parse the logs.  Has anyone else run into this problem and found a solution?Thanks.
Dan_Zada
inside Logging and Reporting 2 weeks ago
views 4031 39 9
Employee+

Log Exporter Filtering

Hello all,I'm happy to inform you that we added a new feature to the log exporter - the ability to filter logs.Starting today, you will be able to configure which logs will exported, based on fields and values, including complex statements.More information, including basic and advanced filtering instructions, can be found in SK122323.If you have any question or comment, let me know.Thanks!Dan.
Daniel_Kavan
Daniel_Kavan inside Logging and Reporting 2 weeks ago
views 208 2

smartevent and logging server question

Hi,We have two separate managers.    Each manager manages 5 gateways.   However, we just have one smartevent and logging server  running on one VM.    Is it possible to connect BOTH managers up to the same smartevent and logging server?   Or do they each have to have their own dedicated smart event and logging servers.  My guess they each need their own, but I wanted to double check with new capabilities in R80.30 and R80.40.
Mason_Bourdeau
Mason_Bourdeau inside Logging and Reporting 2 weeks ago
views 2364 10

Top Bandwidth Applications graphed over time?

I'm trying to find a good report/view/chart to graph top bandwidth utilization applications over time.  I can find this view but it's only cumulative for the specified time period, not graphed over time.  So rather than just a list of the top applications and their total usage over, for example, 30 days, I need to see a graph of the traffic.  For example we have an application that uses a ton of bandwidth, but it should ONLY be doing so after hours.  The High Bandwidth Applications view doesn't reveal the bandwidth usage patterns...
George_Ellis
George_Ellis inside Logging and Reporting 2 weeks ago
views 5865 7 3

Hit count detail

Hit count data seems to suggest there is more to it than rule id and count.  Has anyone found or built a method to do time series hit count report by rule?
kevin_t
kevin_t inside Logging and Reporting 2 weeks ago
views 252 3

Failed Policy Install Logging

Morning All, thanks in advance for any insight! We are looking at exporting audit logs to our SIEM, and got the connection working and everything.  We scheduled our policy installs to happen automatically, and we would like alerting to happen based on failed policy installs.  That being said, we cannot find anything in any logs that indicate a failed policy install!  Just wondering if anyone had any insight into if this gets logged, and if so - where are they? Thanks again!