I would like we shared our best smartlog query and their appropriate columnsprofiles (if you do not choose 'Automatic Profile Selection').
We all should have generalize at least once a query in order to understand if a specific comportment/situation could be found in other firewalls.
And if you do not remember what were your perfect queries, see your complete history (from you SmartLog enabled server):
$SMARTLOGDIR/data/users_settings/<your login name>/history.xml
Regarding Endpoint Security Remote Access solutions:
- seeing tunnels activities :
tunnel_test or action:"Key Install" or action:"Failed Log In" OR action:"Log In" OR action:"Log Out" OR action:reject OR action:Update
blade:vpn AND action:Reject ( "endpoint" OR "user" OR "Office Mode" )
- errors authenticating users
"Could not obtain user object" "IKE failure"
Certificates: any alert regarding crl (Certification Revocation List) or certificates (see sk104400 for more details)
type:alert (certificate or CRL)
Security Management Log Server : when logs were not able to be sent to it:
"were not sent to log server"
Any TCP state errors listed in sk101221 (personally, I've discovered this possibility thanks to "Max Power" Book Second Edition Released! 😞
tcp (fin OR syn) NOT "both fin" NOT "established"
Every logs of a specific rule (Hit count detail could be useful as well):
First of all, did you know that we can generalize our best columns profiles for every or selected users (seesk109512 )?
My default columns profile (for general logs) is:
with which I can see immediately src/dst IPs, src/dst ports and Xlate src/dst and basics.
So : what are your perfect and efficient queries ?
Information Security enthusiast, CISSP, CCSP