This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mike_Epplin
Explorer
‎2019-03-29 09:10 AM
Jump to solution

Log Exporter not Showing all Fields

I have log exporter set up to export logs via syslog in CEF format. I'm noticing that a lot of the IPS logs are often missing fields, mainly the destination IP and ports. I've verified that these fields are listed in the conf files and not being blocked from being exported. I've pasted a couple of examples below. This for R80.20, and wondering if anyone else has seen this, or if this is normal and if so, any ideas as to why?

Examples: 

"CEF:0|Check Point|SmartDefense|Check Point|IPS|Command Injection Over HTTP|Very-High|cp_severity=Very-High cs2Label=Protection ID cs2=asm_dynamic_prop_CMD_INJECTION cs3Label=Protection Type cs3=IPS cs4Label=Protection Name cs4=Command Injection Over HTTP deviceDirection=0 flexNumber1Label=Confidence flexNumber1=3 flexNumber2Label=Performance Impact flexNumber2=3 flexString2Label=Attack Information flexString2=Command Injection Over HTTP msg=Web Server Enforcement Violation rt=1553065375000 loguid={0x5c91e59f,0x1c,0x1520d30a,0xc000000a} origin=0.0.0.0 originsicname=CN\=ABCDEF,O\=myname.com sequencenum=1777 version=5 description_url=CMD_INJECTION_help.html product=SmartDefense smartdefense_profile=g_Production_and_QA_DEV_IPS src=120.27.248.226"

"CEF:0|Check Point|SmartDefense|Check Point|anomaly|Non Compliant DNS|Very-High|act=Drop cp_severity=Very-High cnt=22 cs2Label=Protection ID cs2=DnsProtocolEnforcement cs3Label=Protection Type cs3=anomaly cs4Label=Protection Name cs4=Non Compliant DNS deviceDirection=0 flexNumber1Label=Confidence flexNumber1=3 flexNumber2Label=Performance Impact flexNumber2=2 flexString2Label=Attack Information flexString2=Illegal number of Resource Records msg=Non Compliant DNS rt=1553138597000 ifname=lo loguid={0x0,0x0,0x0,0x0} origin=10.211.32.21 originsicname=CN\=ABCDEF,O\=myname.com sequencenum=276 version=5 product=SmartDefense rule=554 rule_name=4.551_._._OPEN-RULE-BAD rule_uid=c2ea1bf4-908d-4905-acf4-e8349562478b smartdefense_profile=g_Production_and_QA_DEV_IPS_79ca84b7e1848eb9 sub_policy_name=Production_Global Security sub_policy_uid=9b1c034b-b8a9-4dda-95ec-919ea0a79097 summary=Detected 22 events associated with the following attack: Attack name: Non Compliant DNS Attack data: Illegal number of Resource Records Packet Info: DNS query length 570 exceeds the allowed length 512 See sk73240 for more information."

 

"CEF:0|Check Point|SmartDefense|Check Point|IPS|Brute Force Scanning of CIFS Ports|Medium|cp_severity=Medium cs2Label=Protection ID cs2=asm_dynamic_prop_CIFS_BF_PORT_SCAN cs3Label=Protection Type cs3=IPS cs4Label=Protection Name cs4=Brute Force Scanning of CIFS Ports deviceDirection=0 flexNumber1Label=Confidence flexNumber1=1 flexNumber2Label=Performance Impact flexNumber2=2 flexString2Label=Attack Information flexString2=Brute Force scanning of CIFS ports msg=Windows SMB Protection Violation rt=1553043683000 loguid={0x5c9190e3,0xe,0x3e20d30a,0xc000000a} origin=0.0.0.0 originsicname=CN\=ABCDEF,O\=namegoeshere.dev.com55k sequencenum=229 version=5 description_url=CIFS_BF_PORT_SCAN_help.html product=SmartDefense smartdefense_profile=g_Production_and_QA_DEV_IPS src=10.211.68.109"

 

 

1 Solution

Accepted Solutions
Dan_Zada
Employee Alumnus
Employee Alumnus
‎2020-05-18 05:49 AM
In response to Mark_Gurevich
Jump to solution

Please try to change the log exporter configuration to use "semi-unified" reading mode (describe in SK122323).
Let me know if it helped.

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
‎2019-03-30 08:48 AM
Jump to solution

Have you confirmed the log entries these correspond to in SmartView have the information?

Mark_Gurevich
Contributor
‎2020-05-14 02:22 AM
Jump to solution

Hi Mike,

We encounter same problem on the same environment.

Were you able to figure out the reason?

Thanks in advance

Dan_Zada
Employee Alumnus
Employee Alumnus
‎2020-05-18 05:49 AM
In response to Mark_Gurevich
Jump to solution

Please try to change the log exporter configuration to use "semi-unified" reading mode (describe in SK122323).
Let me know if it helped.
JS_FW
Participant
‎2020-08-14 09:37 AM
In response to Dan_Zada
Jump to solution

We are also experiencing a similar issue in our environment. I have a ticket opened with TAC and have also notified our SE, but wanted to see if any insight could be shared here. He did switch to semi-unified read mode. and that improved things, but we are still missing some of the data on a subset of exported logs.

We are on R80.30 with JHF Take 111 and are exporting to LogRhythm. FWIW, ran some pcaps and the missing data is evident there. Any guidance appreciated.

Shay_Hibah
Employee Alumnus
Employee Alumnus
‎2020-08-17 11:23 PM
In response to JS_FW
Jump to solution

Hi,

You mentioned that you cannot see all field in the log entities after export operation.

Can you please tell me what made you think these fields should be there?

What you actually can do is to find one log entity that may be "broken" in LogRhythm and look for the same log (from the same time) in your SmartConsole.

All fields should behave the same - meaning that every field exist in SmartConsole, should also be seen in LogRhythm.

If you need an additional help with it, please contact me at shayhi@checkpoint.com and I will try my best to help.

JS_FW
Participant
‎2020-08-18 01:44 PM
In response to Shay_Hibah
Jump to solution

Hi Shay, thanks for the response. It's not the fields that are missing, it's the data. For example - Destination IP. I have confirmed we see it in SmartLog, however, with a PCAP I have confirmed it is not being exported in some cases. I will reach out to you directly.

LostBoY
Advisor
‎2022-01-11 04:35 AM
In response to JS_FW
Jump to solution

Hello,

were you able to see "Action" field in logs after changing read-mode to semi-unified ?

0 Kudos
LostBoY
Advisor
‎2022-01-11 04:34 AM
In response to Dan_Zada
Jump to solution

Hello,

I am facing a similar issue where i require "Action" field in IPS logs.. will changing read-mode from raw to "semi-unified" fix this ?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events