Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RKinsp
Contributor
Jump to solution

Log - Accounting

Good afternoon everyone!

We are trying to implement external log with accounting updates. We have a simple rule setup that matches telnet traffic, and it is exporting to our syslog (using cp_log_exporter to a splunk server), however it is only sending the log when a connection opens and when the user disconnects the telnet session. It is my understanding from the documentation that with accounting enabled, I should see a log every 10 minutes for this connection, is that not right? Am I perhaps missing another configuration necessary for this?

Oh, I forgot to mention, we are running R81 VM in a test environment with VSX.

SH_ 2021-01-07 637.jpg

[Expert@CheckPoint-Mgmt:0]# cp_log_export show

name: syslog2
enabled: true
target-server: 172.20.10.152
target-port: 514
protocol: udp
format: splunk
read-mode: semi-unified
export-attachment-ids: false
export-link: false
export-attachment-link: false
time-in-milli: false

 

 

 

 

Thanks in advance,

RK

 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
RKinsp
Contributor

Hi PhoneBoy, thanks for your response!

Testing these past few days, I figured out that by changing the "Update Account Log every" to 600 seconds, the system sends and updated log every 10 minutes to my log server. I changed this setting for both the FW and the Management Server, so I'm not sure which one made the difference (or if you need both) but I will keep testing.

One issue I have now is that I am unable to identify middle and end logs. From my tests, the LogID field is 0 for the first log of the connection and 6 for the middle and end. There are other fields that I am unsure what they mean (_pos, nsons), but I will probably start another post on this.

Sincerely,

RK

 

SH_ 2021-01-11 2225.jpg

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

That’s how often we send updates to the log server (every 10 minutes), but it may not translate to a log that is exported via Log Exporter until the connection is closed.

0 Kudos
RKinsp
Contributor

Hi PhoneBoy, thanks for your response!

Testing these past few days, I figured out that by changing the "Update Account Log every" to 600 seconds, the system sends and updated log every 10 minutes to my log server. I changed this setting for both the FW and the Management Server, so I'm not sure which one made the difference (or if you need both) but I will keep testing.

One issue I have now is that I am unable to identify middle and end logs. From my tests, the LogID field is 0 for the first log of the connection and 6 for the middle and end. There are other fields that I am unsure what they mean (_pos, nsons), but I will probably start another post on this.

Sincerely,

RK

 

SH_ 2021-01-11 2225.jpg

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events