This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mistercinux
Contributor
‎2020-06-12 08:43 AM

Log Parser is not working

Hello all, 

I enabled the Syslog server on a management server, and I want to see those logs on smartview tracker, but they are not really usable because no information is showned in the line, and I didn't found any column which simply shows the syslog message, and I can't find any documentation about this.

Is that possible to simply add a column with the syslog message ?

 

 

5 Replies
Dan_Zada
Employee Alumnus
Employee Alumnus
‎2020-06-13 10:59 PM

Hi,

In case you did not configure any log parser, you should see the entire log message in a field called "default"_device_message".

Are you using SmartConsole? SmartView?

mistercinux
Contributor
‎2020-06-14 11:38 PM
In response to Dan_Zada

Hello Dan_Zada,

Thank you for replying!

I can't find this column in the profile edititor :

checkmates2.png

 

I also tried to create a custom parser with the string into the "default_device_message" in the log details as following :

checkmates1.png

 

And it matches all logs using Eventia's simulation, but they are not tagged with the right product and so. When configuring, a parser with eventia, should the "Default Device Message" be used for parser creation ? 

(The parser was installed on the smartLog server, and cpstop/cpstart was done)

 

Best regards.

mistercinux
Contributor
‎2020-06-15 05:27 AM
In response to Dan_Zada

Hi,
I'm using SmartConsole, but I also tried to make it work with smartView.
Dan_Zada
Employee Alumnus
Employee Alumnus
‎2020-06-16 01:53 AM
In response to mistercinux

Hi,

I'm not sure I understand the issue, so I will try to clarify few things:

1. In case no parser was applied, the entire syslog message will be parsed into "default_device_message" and the product/blade will be called "Syslog"

2. Using the Eventia Log Parser, you can configure your parser by copying a log example and map the fields to Check Point fields or to your own fields (notice that in case you are using your own fields, they will not be indexed). You can also configure what the product name will be called. 

3. Once you apply those changes (using the Eventia scripts from the SK), the log server will parse the data and the fields will be populated

 

Thanks!

Dan.

mistercinux
Contributor
‎2020-06-23 07:01 AM
In response to Dan_Zada

Hello Dan, and thank you for your answere.

My parser don't work and the syslog messages are still showed in the "Default Device Message" field, Is there a way to show the column "Default Device Message" in smarv view (without having to open each log line), in order to have a real log view ? 

I can't find a way to show this column.

 

Best regards,

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events