This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
BoWyatt
Participant
‎2022-05-04 07:11 AM

[Log Exporter] 0.0.0.0 in office_mode_ip in VPN Logs

Hello, I'm currently using logstash to process log exporter logs. I'm seeing that in my VPN logs (i'm logging the "Log In" and "Log Out" actions) the field office_mode_ip which contains the private IP given to the VPN user is "0.0.0.0", some other entries are correct with IPs like 192.168.X.X, but in other entries I have the "Log In" action with that value in the office_mode_ip field, viewing the SmartConsole logs I can see the correct private IP given to the user. I'm currently processing the logs in Semi-Unified, doing a little trick with Elasticsearch so if a field is change or is added, it's modified on the Elasticsearch document. Could this be issue? or Something else that I'm not seeing?

 

vvcap 2022-05-04-11-10-39.png

0 Kudos
5 Replies
the_rock
Legend
Legend
‎2022-05-04 07:23 AM

Can say I ever seen that before. You are saying it only happens for some entries, I assume totally random?

0 Kudos
BoWyatt
Participant
‎2022-05-04 07:47 AM
In response to the_rock

Yep, maybe 1 or 2 every 10 or 20 entries, my clue is that since Semi Unified sends a flow of logs maybe Logstash it's processing the office_mode_ip with a field like 192.X.X.X before and after that the field with 0.0.0.0 is sended so the last field is updated with that value. Being more technical, why i'm receving logs with that IP? It's a normal behavior of Checkpoint?

0 Kudos
the_rock
Legend
Legend
‎2022-05-04 07:50 AM
In response to BoWyatt

Personally, I would say thats not normal at all. Unless you see CP logs with those values, then yes, but if not, there is no reason why you would see them in Logstash. I would try contact TAC to clarify on this.

0 Kudos
BoWyatt
Participant
‎2022-05-04 07:53 AM
In response to the_rock

Negative, seeing the log for "Log In"actions gives a real private IP address used on my domain, I wouldn't give much thought if there's no clear reason, i've already wrote a workaround on my logstash pipeline since I'm thinking in some moment I will receive the real private IP address. Thanks for your time

 

the_rock
Legend
Legend
‎2022-05-04 07:54 AM
In response to BoWyatt

sounds good!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top