This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
MVP Platinum
MVP Platinum
‎2024-12-05 11:46 AM
Jump to solution

Dedicated smart event server logging behavior

Hey guys,

I wanted to bring this up, as Im not 100% sure if this is indeed an expected behavior and if people are aware of it or not. So, my impression was always that say if you have dedicated SE server, you have to add it to logging options on the gateway(s) object in order for logs to sent to it, but that is supposedly NOT the case.

Reason I say that is because my colleague and I had call with TAC and guy was excellent, he did help us with a different SE server issue, but even he said customer's smart event was not used for logging or getting any logs, which we discovered later was actually not true, as we saw bunch of logs sent to it when we logged in via smart console.

Now, to verify this behavior, I also tested in my own lab, where my mgmt is 172.16.10.252 and se server is 172.16.10.244. Though I dont have smart event object added anywhere for logging options on cluster or single gw, I can see bunch of logs on se server when I open separate smart console instance.

So, my question is...is this NORMAL (expected) behavior?

I also attached screenshots showing what I described.

Best and thanks as always for the help!

Andy

 

 

 

Best,
Andy
Preview file
35 KB
Preview file
34 KB
Preview file
41 KB
Preview file
112 KB
Preview file
193 KB
0 Kudos
1 Solution

Accepted Solutions
Lesley
MVP Gold
MVP Gold
‎2024-12-06 03:44 AM
Jump to solution

I think it is normal because smart event needs logs to do its job. And will get it from log server. For performance it is better to have 1 log server and 1 event server. If event has no access to logs it will have no data to work with. Under my gateways I always put the log servers as log server (or other name for it: smart mgmt)

-------
Please press "Accept as Solution" if my post solved it 🙂

View solution in original post

5 Replies
Lesley
MVP Gold
MVP Gold
‎2024-12-06 03:44 AM
Jump to solution

I think it is normal because smart event needs logs to do its job. And will get it from log server. For performance it is better to have 1 log server and 1 event server. If event has no access to logs it will have no data to work with. Under my gateways I always put the log servers as log server (or other name for it: smart mgmt)

-------
Please press "Accept as Solution" if my post solved it 🙂
the_rock
MVP Platinum
MVP Platinum
‎2024-12-06 04:35 AM
In response to Lesley
Jump to solution

Thanks @Lesley ! Yes, I know most people do the same, but it just caught me off guard, as I always thought smart event needs to be in that list to be receiving logs, but supposedly not.

Anyway, appreciate the confirmation 🙂

Andy

Best,
Andy
0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-12-08 06:32 AM
In response to Lesley
Jump to solution

SmartEvent could also be a log server. This is a matter of distributing resources if needed.

If SmartEvent is not the log server it will have better performance than doing both, and considering that it can read logs from multiple log servers it very much depends on logging rate.

Kind regards, Amir Senn
the_rock
MVP Platinum
MVP Platinum
‎2024-12-08 07:01 AM
In response to Amir_Senn
Jump to solution

Hey @Amir_Senn 

So, just co confirm 100%, my assumption was indeed correct then that say even if you do NOT add SE object in logging tab for the gateway, it would still be getting logs by default?

Andy

Best,
Andy
0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-12-08 07:38 AM
In response to the_rock
Jump to solution

Defined in SmartEvent GUI (Analyzer). When deploying a new SmartEvent server, by default it should apply all log servers currently connected to the environment. If you add new ones you'll need to define them.

Kind regards, Amir Senn
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events