cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Dan_Zada
inside Logging and Reporting 14 hours ago
views 1714 19 6
Employee+

Log Exporter Filtering

Hello all,I'm happy to inform you that we added a new feature to the log exporter - the ability to filter logs.Starting today, you will be able to configure which logs will exported, based on fields and values, including complex statements.More information, including basic and advanced filtering instructions, can be found in SK122323.If you have any question or comment, let me know.Thanks!Dan.
slay39
slay39 inside Logging and Reporting yesterday
views 108 4

Checkpoint Management Log Size Problem

Hi Checkmates,When I check the disk situation I saw log directory was full so that I removed old logs from $FWDIR/log/ directory. disk situation is okay now. When I controlled /var/log/opt directory, I saw 854G space allocated. Is that normal? If not, what should I do? [Expert@hostname:0]# pwd/var/log/opt[Expert@hostname:0]# lsCPSmartLog-R77 CPSmartLog-R80 CPrt-R77 CPrt-R80 CPshrd-R77 CPshrd-R80 CPsuite-R77 CPsuite-R80[Expert@hostname:0]# du -h --max-depth=1233M ./CPshrd-R77173G ./CPsuite-R80158M ./CPshrd-R80143G ./CPrt-R77391G ./CPsuite-R7760G ./CPrt-R8088G ./CPSmartLog-R77200M ./CPSmartLog-R80854G .[Expert@hostname:0]#
Maarten_Sjouw
Maarten_Sjouw inside Logging and Reporting Monday
views 109 6

Is CP-Logexporter able to export events?

Hi, I got a question this question from our SIEM team, is it possible to export correlated events with CP-Log Exporter?
Sal_Previtera
Sal_Previtera inside Logging and Reporting Monday
views 104 2

SMART EVENTS server move to a different hardware version 80.xx and above ?

Can someone at Checkpoint possibly , come up with a decent documentation on how to move a SMARTEVENT server from server A to Server B, with the understanding that the IP will be kept the same but the HARDWARE may be different ? 1. Snapshots will not be any good.....2. Backup and restore .....useful or not ...probably not...?3. Migrate Export does not move database file....? There were somewhat, almost decent documents in R77.xx but cant find anything halfway decent in R80.xx. Please, someone point me in the right direction... Thanks,
KLN
KLN inside Logging and Reporting Sunday
views 106 5

Log Exporter R80.10 add on for eval

Hi All,Does anyone know if it possible to get the Log Exporter add-on for R80.10 gateway for 30 day eval? I would like to test/try out.If not, if I upgraded my R80.10 eval to R80.20, does that include the Log Exporter (alternative to OPSEC LEA).Thanks
Hugo_vd_Kooij
Hugo_vd_Kooij inside Logging and Reporting Thursday
views 4087 8 3

How to debug Policy Installation Errors

I get some BETA Dejavu experiences. Where I would break the EA version by activating the DNS server on the object for my Active Directory server.Ia noe have this gracefull error "Policy installation failed on gateway. If the problem persists contact Check Point support (Error code: 0-2000040)." But I can't even recall having put anything as naughty as a DNS server in my policy...... Checking myself again ....Guess what. I actually did enable the DNS server on my Domain Controller. So what is the logic of this failure?
Daniel_Hainich
Daniel_Hainich inside Logging and Reporting a week ago
views 442 4 1

R80.20 SmartReporter : how to do a report "rule base analysis"?

Hello, how can i do an report for rule-base analysis?i want to report 0-Hit Rules and Rules which has no hits since x days. please help! Daniel
VENKAT_S_P
VENKAT_S_P inside Logging and Reporting a week ago
views 7943 7 1

Log export to excel CSV

general question:Is there a option to export all (not first 50 records) the 7days / 30days logs to CSV file from Logs & Monitor pane?
Matthias_Haas
Matthias_Haas inside Logging and Reporting a week ago
views 1005 4 1

log accounting does not work

Hello all,we are facing the problem, that after upgrading a Cluster to R80.10, log accounting does not work any more. (worked with R77.30) So- just the FW blade is used (no App Control etc.)- accounting is enabled for the rule- nevertheless, the accounting fields are empty in the logWe have waited quite a while to make sure the fields are filled up.Case is open, but TAC told us that the App Control blade is necessary for accouting which i don´t think is true(at least in my lab it works with the fw blade only)I did not find any usefull SK/information for analysing this problem.Does anyone had the same situation? Thanks a lotMatthias
Allen_Fambro
inside Logging and Reporting a week ago
views 59 3 1
Employee

Is it possible to filter access to Management GUI or SmartView Login Pages

While we can use "User Management / GUI Clients" to filter access to SmartConsole, that filter doesn't get applied to GUI or the SmartView web page. Is there any way to restrict access to the Management GUI or SmartView web pages??
Peter_Baumann
Peter_Baumann inside Logging and Reporting a week ago
views 44

Log Exporter stopped reading logs

Hello again,A new problem, this time with the log exporter:[Expert@cplog01p:0]# date Tue Jul 02 09:40:40 CEST 2019 [Expert@cplog01p:0]# cp_log_export status name: fw.domain.com status: Running (3986) last log read at: 27 Jun 11:51:02 debug file: /opt/CPrt-R80.20/log_exporter/targets/fw.domain.com/log/log_indexer.elg--> Log Exporter has stopped reading logs since some days but is still running.We did a cp_log_export restart and it worked again.Does someone know how to monitor the Log Exporter stopped working even when the process is still running?Is this problem known?Installed version of cplog01p:[Expert@cplog01p:0]# cpinfo -y all This is Check Point CPinfo Build 914000182 for GAIA [IDA] No hotfixes.. [CPFC] HOTFIX_R80_20_JUMBO_HF_MAIN [MGMT] HOTFIX_R80_20_JUMBO_HF_MAIN [FW1] HOTFIX_R80_20_JUMBO_HF_MAIN FW1 build number: This is Check Point Security Management Server R80.20 - Build 007 This is Check Point's software version R80.20 - Build 047 [SecurePlatform] HOTFIX_GOGO_LT_HALO_JHF [CPinfo] No hotfixes.. [DIAG] No hotfixes.. [Reporting Module] HOTFIX_R80_20_JUMBO_HF_MAIN [CPuepm] HOTFIX_R80_20_JUMBO_HF_MAIN [VSEC] HOTFIX_R80_20_JUMBO_HF_MAIN [SmartLog] No hotfixes.. [MGMTAPI] No hotfixes.. [R7520CMP] No hotfixes.. [R7540CMP] No hotfixes.. [R76CMP] No hotfixes.. [SFWR77CMP] No hotfixes.. [R77CMP] HOTFIX_R80_20_JHF_COMP [R75CMP] No hotfixes.. [NGXCMP] No hotfixes.. [EdgeCmp] No hotfixes.. [SFWCMP] No hotfixes.. [FLICMP] No hotfixes.. [SFWR75CMP] No hotfixes.. [CPUpdates] BUNDLE_R80_20_JUMBO_HF_MAIN_gogoKernel Take: 47 [rtm] No hotfixes..
MattDunn
MattDunn inside Logging and Reporting a week ago
views 46 1 1

R80 Logging Query

I want to send a screenshot of the Logs view to a customer to demonstrate an issue and highlight a point I'm trying to make.The issue is VPN related, where we continually try and set up a tunnel, then send a "delete", then set up, then send a delete.I want to show this in my log view so I can take a screenshot, but the one field I want to add to my log view is not available.If I open the log card, I see the "Ike" field, highlighted in red below. I want to add that column to my log view. Other log cards have "Methods" showing info of the key exchange, but again "Methods" is not available to select as a column in my log view. If I go to my log and "Edit Profile", neither the "Ike" or "Methods" fields are available to select as a column in my log view. Why aren't these columns available to add?How can I add them?
Ants
Ants inside Logging and Reporting a week ago
views 44 1 1

Auto Export scheduled reports to a remote server possible?

Hi All.We have a set of scheduled reports running on R80.10 CMA and want to know if possible to have them exported to a remote server using scp or similar (only option i see is via email)Our aim is to have these raw reports copied (scp etc) to a remote server where it will be analyzed further with an inhouse automation tool.report location/opt/CPrt-R80/smartview/exported_files/41e821a0-3720-11e3-aa6e-0800200c9fde/<objid_for_admin>/alternative plan would be to create a user with scponly shell so they can pull these reports from the FW.. my last resortthanks in advance
Richard_Nock
Richard_Nock inside Logging and Reporting 2 weeks ago
views 76 5

Logging not working for Azure CloudGuard gateways and SMS behind NAT

Our topology is as follows:10.3.3.4/27 - BackEnd SubnetAzure Firewall (R80.10)10.2.2.4/27 - FrontEnd Subnet|Azure Check Point Cluster Public IP|( Internet )|1.2.3.4/29On-Prem Check Point 5400 Series Appliance Cluster (R80.10)10.1.1.1/24|10.1.1.5/24 (1.2.3.5/29 NAT IP)SmartCenter/Security Management Server (R80.30)As you can see our SMS is NATed behind our 5400 series appliances which it also manages. The management object has the private 10.1.1.5/24 defined as the IP in the General Properties tab and then public 1.2.3.5/29 is defined in the NAT tab, set to static IP, install on 5400 series gateway and Apply for Security Gateway control connections ticked.This works for all of our other physical appliances - logging and CRL checking, all fine. However, this does not work for the Azure gateways as they persistently want to get to the SMS on the private IP, which doesn't work.Things we've tried:1. Editing the masters file by replacing the SMS name with the public IP of the management then locking the file changes using the chattr command. We've had limited success with this - if we make the change and restart the FWD service it will start working, but if we push policy again it will start using the private IP again. I'm looking for something more permanent.2. Creating a dummy object with the IP of 1.2.3.5, tick Logging & Status blade, then select this as the logging server for the Azure gateways. The Azure gateways pick up the change, but they still persist in sending logs to the private IP.3. Tried adding a NAT rule to the top of the NAT policy for anything from src:10.2.2.4/27 (FrontEnd Subnet) to dst: 10.1.1.5 (private SMS) then translate to dst:1.2.3.5 (public SMS). No luck here either.I originally thought it was because we were using an older R80.10 template, but I've deployed a new R80.20 cluster in Azure and updated to the latest jumbo and we still get the same issue.Running out of ideas now, any help/suggestions would be appreciated 🙂