cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Logging and Reporting

Have questions about viewing logs with SmartView, generating reports with SmartEvent Event Management, or exporting logs to a SIEM with Log Exporter? This is where to ask!

Dan_Zada
inside Logging and Reporting yesterday
views 10950 21 21
Employee+

*New* Splunk App for Check Point Logs

Hello all, I’m happy to announce about a new Splunk app for Check Point logs. Check Point brings you an advanced and real-time threat analysis and reporting tool for Splunk. The Check Point App for Splunk allows you to respond to security risks immediately and gain network true insights. You can collect and analyze millions of logs from all Check Point technologies and platforms across networks, Cloud, Endpoints and Mobile. (view in My Videos) Key features are: Infinity Dashboards General overview Top attacks Detected and prevented events Events timeline Blades statistics Cyber Attack View – a unique ability to aggregate Check Point events per attack vector (cross all blades) Reconnaissance actions against the network Delivery methods Malicious emails Malicious file download Server Exploit Infected hosts SandBlast Events – predefined aggregation for mail and web attack vectors CIM Support – Check Point logs are mapped into CIM (Common Information Model) and can be analyzed using standard dashboards (such as Splunk Enterprise Security)More information on CIM can be found here: https://docs.splunk.com/Documentation/CIM/4.12.0/User/Overview Fast Deploy – an easy and fast deployment using the new Log Exporter     The app can be downloaded from Splunk base: Check Point App for Splunk | Splunkbase    User Guide – https://sc1.checkpoint.com/documents/App_for_Splunk/html_frameset.htm SK about the Log Exporter – http://supportcontent.checkpoint.com/solutions?id=sk122323   For any question, comment or suggestion, please contact cp_splunk_app_support@checkpoint.com.   Thank you! Dan Zada, Group Manager.
Julie_Paul
inside Logging and Reporting yesterday
views 4457 19 3
Employee+

Limited Permission Profile

Can I setup a read only user with a profile that only allows him to read logs and view his policy only?  This is on a SMS not an MDM.  The purpose is to allow a limited admin the ability to be restricted to just what they control or have a business need to see.  They do not see all the policies or logs, just their own at their remote location.  
WesEvernden
WesEvernden inside Logging and Reporting Tuesday
views 85 4 1

fwm logexporter fails - file to large

Hi,I am trying to take a large log file from our busy DMZ and export it using a eval install running in hyper-v on my laptop.I can do fwm logexport of the running fw.log fine but when I try it with the DMZ file I get File is too large. The DMZ log file is 2,328,043,520 bytes. This is R80.30, 64bit, 8GB mem. I can cat the file. Any ideas appreciated. Thanks.[Expert@gw-460f06:0]# fwm logexport -n -p -i test.log pfopen: failed to open /opt/CPsuite-R80.30/fw1/log/test.log CBinaryFile::Open: failed to open file (/opt/CPsuite-R80.30/fw1/log/test.log) for reading CBinaryFile::Open: exit status false CMappedBinaryFile::error opening file /opt/CPsuite-R80.30/fw1/log/test.log CLogFile::Open2: error: open (/opt/CPsuite-R80.30/fw1/log/test.log) for reading failed Failed to open file '/opt/CPsuite-R80.30/fw1/log/test.log': File too large log_initfile: error - unable to open and read file: test.logError: Failed to open log file[Expert@gw-460f06:0]# ls -l test.log-rw-rw-r-- 1 admin root 2328043520 Feb 18 13:12 test.log 

Compliance check for NIST 800-171

HiDoes any one have a compliance check for NIST 800-171, that can be imported into the compliance module? GreetingsSøren Kristensen
Deepak__
Deepak__ inside Logging and Reporting Tuesday
views 144 1

Checkpoint custom reports

Hi, I have a Checkpoint setup running on  R80.30. I want to create a custom report with below for Incoming traffic for my internal applications. 1. The topmost app used 2. Amount of Bandwidth, 3. No. of Sessions, 4. Source IP. 5. Dest IP SIP AND1.Top attacks, 2. Source IP, 3. Dest IP, 4. Attack Type.
pmetridis
pmetridis inside Logging and Reporting Friday
views 196 3

OPSEC LEA Permissions

Dear all , I would like to ask if anyone knows the access that potentially could have an OPSEC LEA client to SMS Gateway . Except the LEA Permissions TAB to the OPSEC Application Properties , where else i can find what kind of permission the remote client has when you configure it as OPSEC LEA Appl . Is it trusted to allow external partner  like Siem Vendor ,  to communicate with OPSEC LEA to the SMS server ? As you understand the SMS server has all the critical information like policies , etc.  Any other link , pdf , doc to read would be helpful  Thanks in advanced Makis 
Martijn
Martijn inside Logging and Reporting Friday
views 219 3

GRE traffic not shown in log

Hi all,Two weeks ago, I migrated a R77.30 cluster on 12200 appliances to a R80.30 cluster on 6500 appliances. Installed jumbo hotfix is take 111.It was an advanced migration, so we installed a new SmartCenter, exported the database from R77.30 to R80.30 with the R80 migration tools and imported the database with the same migration tools. Rule base, IP interfaces and routes did not changed. Also nothing was changed on the network.The migration was successful and no problems where reported. But we have one strange issue with the log of GRE tunnels. Customer has several GRE tunnels passing the Check Point gateway (so Check Point is not an endpoint for these GRE tunnels) and these GRE tunnels are working fine.  But we do not see any logs regarding GRE in SmartLog. Even when the GRE tunnel is initiated again. We can see the traffic with tcpdump and fw monitor, but SmartLog remains empty.When we look at SmartLog from the old R77.30 environment (we still have access to the old SmartCenter) we can see logs regarding GRE. Has anyone seen this before on R80.30? I have a case open with Check Point support, but the chances are we need to run a debug and initiate the GRE tunnel again. And initiating the GRE tunnel causes a big impact on the customers processes.So I hope one of you has seen this before and has a solution that does not involve initiating the tunnel again.Thanks.Regards, Martijn. 
DH_ND
DH_ND inside Logging and Reporting Thursday
views 236 7

CP log Export issues

HI Checkmates Can someone help. I have two manager with the same subnet and environment within Azure. 1st managing Azure gateways on R80.30 and 2nd managing on prem gateways on R77.30. We use cp_log_export on both to send logs to a collector.2nd has been recently added using the same configuration as the first (this config was the same when the manager was on premise on R77.30. cp_log_export add name ****** target-server x.x.x.x target-port 514 protocol tcp format leefAll looks good except the collector isn't seeing the logs being sent it only sees the two way communication from manager to collector.difference between the two is the 2nd has the following lines below. The worker has both these values set to trueexport-link: falseexport-attachment-link: false1st is workingname: ******enabled: truetarget-server: x.x.x.xtarget-port: 514protocol: tcpformat: leefread-mode: rawexport-link: Foundexport-attachment-link: Found2nd is NOT workingname: ******enabled: truetarget-server: x.x.x.xtarget-port: 514protocol: tcpformat: leefread-mode: rawexport-link: falseexport-attachment-link: false Does anyone have any idea what could be causing this. We have full comms from both to the collector. Thanks   
Moe_89
Moe_89 inside Logging and Reporting a week ago
views 3690 7

Remote VPN users report

Hello,Is there a way to export a list of Remote VPN users in the local MGMT database which includes last login time etc. ?Something similar to fwm dbexport.
ED
ED inside Logging and Reporting a week ago
views 246 6 1

SG cluster not sending logs to SMS

Hi,R80.30 environment. SG cluster is not sending logs to SMS.  Steps that I have done in troubleshooting: Installed database in SmartConsole.Installed policy several times.Changed the SG to log locally, installed policy and then reverted to sending logs again to SMS in SmartConsole.Rebooted the cluster that don’t send logs to the SMSDisk space is checked on SMS and is fine.Checked that security gateway is configured to send logs to SMS in SmartConsole.SIC communication is fine and communicating.Ping from SMS to SG works fine. The other way too.Checked that the SMS is listening on port 257. No connection from the cluster SG seen there.Checked if any logs are coming from the SG to the SMS on port 257 with tcpdump on the interface. No logs there.The active firewall log file fw.log is growing on the SG. Checked with the command watch -d -n 2 "ls -l $FWDIR/log/fw.log"Checked the masters file on the SG and it is set to log to the SMSSo are there anymore suggestions in troubleshooting this issue? Could it be that the last step (that I didn't do), the active firewall log file fw.log might be corrupted on the SG?   
Fred_Howard
Fred_Howard inside Logging and Reporting a week ago
views 3394 10

SmartLog only shows 3 days of logs.

I cannot query any logs older than 3 days.  df -h showed 99% in var/log, I have adjusted settings to delete files and got it to 83%, still no change.  
peter_schumache
peter_schumache inside Logging and Reporting a week ago
views 249 3

Filter Logs by geo location

Is there a way to filter my Check Point logs e.g. Destination IP by Geo-Location?
mortiis
mortiis inside Logging and Reporting 2 weeks ago
views 221 3

[R80.20] smartview on dedicated server

Hi All 🙂 In my CP topology, I have dedicated server for management (for example 10.1.1.101) and dedicated server for smartevent (for example 10.1.1.102).I would like to grant access to smartview for my colleagues but only via web browser and only to 10.1.1.102 (https://10.1.1.102/smartview/). To achieve that, I created a new gaia user on 10.1.1.102 server where I have smartevent installed and attached this new user to monitorRole. Authentication is done by tacacs.Unfortunately, this config doesn't work, I received "Authentication to server failed".I assume, that something is wrong with my CP configuration, because I don't see any events on my tacacs server.Did I miss something in configuration? Thank you in advance!
Michael_Horne
Michael_Horne inside Logging and Reporting 2 weeks ago
views 540 6 1

Traffic dropped with message information: "Rulebase Internal Error"

Hello, We have are having some traffic that is being dropped with the message information: "Rulebase Internal Error"As of yet I have not found any information related to what this message and how it can be remedied.Normally this traffic should be allowed, but because of the issue, it appears the traffic is being dropped.Has anyone have any information that might help in resolving this or might aid the invesitgation?Many thanks,Michael
MIchael_Hovis
MIchael_Hovis inside Logging and Reporting 2 weeks ago
views 1247 8 2

Export Logs To LogRhythm using Log Exporter

Has anyone used Log Exporter to export logs to LogRhythm?  I have a Check Point managment server that is also the log server running R80.20.  I've configured Log Exporter and am sending logs to LogRhythm using the CEF format.  However, LogRhythm says they cannot parse the logs.  Has anyone else run into this problem and found a solution?Thanks.