This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HristoGrigorov
MVP Gold
MVP Gold
‎2020-12-08 10:19 PM

Need help with SmartConsole

Hello,

I have two questions regarding smart console (R80.40):

1. How do I reverse log query by time? I mean if I want to see what was the first time matching entry was logged in, for example within the Last 7 Days how do I do it, without some long and painful scrolling of course ?

2. Why am I not able to copy time cell to clipboard ? It seems to work for all other cells but not this one.

Thanx in advance.

22 Replies
PhoneBoy
Admin
Admin
‎2020-12-09 01:30 PM

Using SmartView (instead of SmartConsole) might fix the second issue, but for the first, you might have to open up SmartView Tracker to do that one more efficiently.
Question is: why is that relevant?

HristoGrigorov
MVP Gold
MVP Gold
‎2020-12-09 07:21 PM

Hmm, if you ask me about what is the use case here, how about this:

1. My boss asked me what time exactly his laptop started to flood our active directory with ldap requests? I could not give answer in a sensible time and had to scroll for a long time day by day to find out. Not very pleasant if you ask me.

2. Being able to copy all but one cell gives me the impression software is "incomplete" unless there is a technical explanation why it is not possible.

PhoneBoy
Admin
Admin
‎2020-12-09 07:35 PM

Well...that is an interesting use case. 🙂
At some point, SmartView was supposed to replace what was in SmartConsole and you should be able to copy/paste that cell from there.

HristoGrigorov
MVP Gold
MVP Gold
‎2020-12-09 08:06 PM

Can't do it in SmartView either, just tried. Only way is to double click on the record and copy from pop-up window. Not very convenient but does the job.

0 Kudos
ED
Advisor
‎2020-12-10 12:30 AM

Hi Hristo,

 

You can try this. It's not a perfect solution but at least it will save you some scrolling 🙂

Mark a log and then press either "Page Down" on your keyboard to get to the bottom and "Page Up" the other way. Keep holding one of the keys till you get to the bottom (might take a while 🙂 )

The perfect solution would be to have the "Home" and "End" function as the top and bottom button. Or being able to click on the "Time" column and sort by time, just like in Excel. 

HristoGrigorov
MVP Gold
MVP Gold
‎2020-12-10 12:50 AM

@ED Thanx, my thoughts exactly. Although, I would be happy with export in Excel also but sadly that's not available ☹️

ED
Advisor
‎2020-12-10 01:01 AM
In response to HristoGrigorov

Have you tried this?

image.png

0 Kudos
Borut
Collaborator
Collaborator
‎2020-12-10 01:02 AM

You can export the logs to CSV by clicking the 3 line icon next to search box and chose File -> Export to Excel CSV...

I believe, all the relevant logs in the selected timeframe are exported.

HristoGrigorov
MVP Gold
MVP Gold
‎2020-12-10 01:09 AM

@Borut Thanx, that would be perfect but it is exporting only records in current view (max. 50). Not much of a use in this case.

0 Kudos
JanVC
Collaborator
‎2020-12-10 05:01 AM
In response to HristoGrigorov

you should do the export from the smartview web console, there you can select to export up to 1 million records

PhoneBoy
Admin
Admin
‎2020-12-10 11:08 AM
In response to HristoGrigorov

If you want export a larger number of records, use SmartView to do it.
It will export up to a million records (versus the "visible" records SmartConsole does).

0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2020-12-10 05:04 AM

@JanVC Thanx, they mean 1MB I think but that's still much better than SmartConsole 😉

0 Kudos
JanVC
Collaborator
‎2020-12-10 05:08 AM
In response to HristoGrigorov

yesterday I exported 192.000 records to csv, file was around 12.5 MB 

0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2020-12-10 05:15 AM

@JanVC  Yeah, seems I got it wrong. Did it took long time ? I will test it later today as it sounds promising.

0 Kudos
JanVC
Collaborator
‎2020-12-10 05:24 AM
In response to HristoGrigorov

I didn't stopwatch it, but I guess somewhere between 5-10 minutes

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2020-12-10 07:37 AM

What about to check first hit of relevant rule ? If you dont have any any accept or very general rules for your boss's computer 😉

Kind regards,
Jozko Mrkvicka
HristoGrigorov
MVP Gold
MVP Gold
‎2020-12-10 07:48 AM

It is the cleanup rule. I will never allow ldap access from his laptop, not that crazy 😁

I can probably think of other ways to achieve it. But my point was that SmartConsole should natively provide it. On the other hand, grid controls there are so outdated.... 

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2020-12-10 08:04 AM
In response to HristoGrigorov

Yes, there are plenty of limitations in SmartConsole related to logs. Some of them are solved in SmartView, but not all.

Assuming you have all logs available and can be recovered (from backup, NAS, tapes), you can create little script. Simply interate over *.fwlog files and use fw log command to export logs. Then do grep and find relevant time.

Or even faster, search for ruleID of cleanup and then grep for specific traffic.

I cannot think about any other solution with current SmartConsole/SmartView.

Kind regards,
Jozko Mrkvicka
JozkoMrkvicka
Authority
Authority
‎2020-12-10 11:51 AM

Or other way around ... what the boss did on his workstation ? What was the trigger of the flood? Some fancy new application was installed ? Some new updates (Windows) ? Sometimes looking on problem with other side is faster way to figure it out.

Kind regards,
Jozko Mrkvicka
0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2020-12-10 08:59 PM

@JozkoMrkvicka Agree but this happened some time ago and he asked me around what date flooding started so he could actually think of what he changed/installed. It is not so bad, flood is not aggressive hence why I did not noticed it for some time. 

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2020-12-11 12:23 AM
In response to HristoGrigorov

Well... If you dont know what you did how you are supposed to know what happened at specific date and time ? Windows has some logs (events) which can be searched. Or using wireshark you should be able to check what application is causing the flood. But that would mean you need to have access to the workstation, which might be issue if we are talking about your supervisor 😉

I fully understand that Check Point should be able to provide all data you are looking for. I am also not sure if such basic feature is available in R81... Asking for RFE might help in the future. Or maybe this is basic functionality to be part of new R80.x/R81Jumbo...

Kind regards,
Jozko Mrkvicka
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2020-12-12 02:22 AM

If you have installed Take 78 or higher on your R80.40 management, then you can try to use show-logs API. I did not try it, but maybe it can be used to speed-up searching or give you some interesting outputs.

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events