This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RKinsp
Contributor
‎2021-01-07 12:53 PM
Jump to solution

Log - Accounting

Good afternoon everyone!

We are trying to implement external log with accounting updates. We have a simple rule setup that matches telnet traffic, and it is exporting to our syslog (using cp_log_exporter to a splunk server), however it is only sending the log when a connection opens and when the user disconnects the telnet session. It is my understanding from the documentation that with accounting enabled, I should see a log every 10 minutes for this connection, is that not right? Am I perhaps missing another configuration necessary for this?

Oh, I forgot to mention, we are running R81 VM in a test environment with VSX.

SH_ 2021-01-07 637.jpg

[Expert@CheckPoint-Mgmt:0]# cp_log_export show

name: syslog2
enabled: true
target-server: 172.20.10.152
target-port: 514
protocol: udp
format: splunk
read-mode: semi-unified
export-attachment-ids: false
export-link: false
export-attachment-link: false
time-in-milli: false

 

 

 

 

Thanks in advance,

RK

 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
RKinsp
Contributor
‎2021-01-11 04:15 AM
Jump to solution

Hi PhoneBoy, thanks for your response!

Testing these past few days, I figured out that by changing the "Update Account Log every" to 600 seconds, the system sends and updated log every 10 minutes to my log server. I changed this setting for both the FW and the Management Server, so I'm not sure which one made the difference (or if you need both) but I will keep testing.

One issue I have now is that I am unable to identify middle and end logs. From my tests, the LogID field is 0 for the first log of the connection and 6 for the middle and end. There are other fields that I am unsure what they mean (_pos, nsons), but I will probably start another post on this.

Sincerely,

RK

 

SH_ 2021-01-11 2225.jpg

View solution in original post

Telnet_sample_logs.txt
Preview file
10 KB
0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2021-01-08 04:44 PM
Jump to solution

That’s how often we send updates to the log server (every 10 minutes), but it may not translate to a log that is exported via Log Exporter until the connection is closed.

0 Kudos
RKinsp
Contributor
‎2021-01-11 04:15 AM
Jump to solution

Hi PhoneBoy, thanks for your response!

Testing these past few days, I figured out that by changing the "Update Account Log every" to 600 seconds, the system sends and updated log every 10 minutes to my log server. I changed this setting for both the FW and the Management Server, so I'm not sure which one made the difference (or if you need both) but I will keep testing.

One issue I have now is that I am unable to identify middle and end logs. From my tests, the LogID field is 0 for the first log of the connection and 6 for the middle and end. There are other fields that I am unsure what they mean (_pos, nsons), but I will probably start another post on this.

Sincerely,

RK

 

SH_ 2021-01-11 2225.jpg

Telnet_sample_logs.txt
Preview file
10 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top