Re: Preferred SmartLog queries and appropriate col...

XBensemhoun · ‎2018-02-18

Hi all,

I would like we shared our best smartlog query and their appropriate columnsprofiles (if you do not choose 'Automatic Profile Selection').

We all should have generalize at least once a query in order to understand if a specific comportment/situation could be found in other firewalls.

And if you do not remember what were your perfect queries, see your complete history (from you SmartLog enabled server):

$SMARTLOGDIR/data/users_settings/<your login name>/history.xml

Queries:

Regarding Endpoint Security Remote Access solutions:

seeing tunnels activities :

tunnel_test or action:"Key Install" or action:"Failed Log In" OR action:"Log In" OR action:"Log Out" OR action:reject OR action:Update

connections errors

blade:vpn AND action:Reject ( "endpoint" OR "user" OR "Office Mode" )

errors authenticating users

"Could not obtain user object" "IKE failure"

Certificates: any alert regarding crl (Certification Revocation List) or certificates‌ (see sk104400‌ for more details)

type:alert (certificate or CRL)

Security Management Log Server : when logs were not able to be sent to it:

"were not sent to log server"

Any TCP state errors listed in sk101221‌ (personally, I've discovered this possibility thanks to "Max Power" Book Second Edition Released! 😞

tcp (fin OR syn) NOT "both fin" NOT "established"

Every logs of a specific rule (Hit count detail could be useful as well):

{ABC12345-ABC1-ABC1-ABC1-ABC123ABC12}

Columns Profiles:

First of all, did you know that we can generalize our best columns profiles for every or selected users (seesk109512 )?

My default columns profile (for general logs) is:

with which I can see immediately src/dst IPs, src/dst ports and Xlate src/dst and basics.

So : what are your perfect and efficient queries ?

Information Security enthusiast, CISSP, CCSP

PhoneBoy · ‎2018-02-18

As I have a number of firewalls in my lab, I'm always trying to isolate logs for a specific one.

So I use:

origin:firewall_name

Among other queries.

XBensemhoun · ‎2018-02-23

In order to see any 'Control' log events, we can query:

blade:Firewall Network Control

For such query, I've created a ColumnProfile.

I didn't find a sk which explains how to do so I've tried and it works for me (dedicated Log Server, R77.30):

go on $SMARTLOGDIR/conf/ColumnsProfiles/
copy an existing .xml columns profile or create it on your own using the appropriate following syntax:

<?xml version="1.0" encoding="utf-8"?>
<profile>
        <Properties>
                <name>{NAME OF YOUR PROFILE}</name>
                <blade>{THE BLADE FOR WHICH IT WILL BE USED}</blade>
                <product_family>{THE PRODUCT FAMILY FOR WHICH IT WILL BE USED}</product_family>
        </Properties>
        <col><name>{NAME OF AVAILABLE INDEXED FIELDS 1}</name><width>125</width></col>
        <col><name>{NAME OF AVAILABLE INDEXED FIELDS 2}</name><width>27</width></col>
        ...
</profile>

If you are using 'Automatic Profile Selection':

...SmartLog will used preferably a ColumnsProfile which corresponds to the blade and Product family which is shown based on your query.

Control log events are something like:

Note that : blade = Firewall, Product Family = Network

So, for such log events, I've created the following Firewall_Network_Control.xml:

<?xml version="1.0" encoding="utf-8"?>
<profile>
        <Properties>
                <name>Firewall Network Control</name>
                <blade>Firewall</blade>
                <product_family>Network</product_family>
        </Properties>
        <col><name>time</name><width>125</width></col>
        <col><name>product</name><width>27</width></col>
        <col><name>orig</name><width>100</width></col>
        <col><name>severity</name><width>100</width></col>
        <col><name>calc_desc</name><width>100</width></col>
        <col><name>status</name><width>100</width></col>
        <col><name>description</name><width>100</width></col>
</profile>

change ownership of the file, must be like other ColumnsProfiles files in $SMARTLOGDIR/conf/ColumnsProfiles/ (use ls -lah to see ownership ; use chown <user>:<group> command to change them)
you must restart smartlog_server in order to be able to use new ColumnsProfile.

Then you should see:

Information Security enthusiast, CISSP, CCSP

Kfir_Dadosh · ‎2018-02-25

We are integrating a new web-based log viewer to SmartView, with profile editor capabilities.

It will allow customizing the fields in profile, and define a filter to auto select a profile above others.

We also planning to allow saving log views with existing filters and custom column profile to create your own custom views.

Question is:

- Do you use the width property, or prefer "auto-width" based on content feature?

XBensemhoun · ‎2018-02-26

Hi Kfir, thanks for this announcement.

Well, I'll give you one answer and one question (I take this opportunity ):

A : I was wondering how to do but I do not know how to select/configure "auto-width" for columns
Q : are you planning to integrate a more advanced "Custom Commands" so that we can execute local (admin computer) or remote (Security Management Log Server, which mean : no limit ! ) commands ?

Thanks a lot Kfir,

Xavier.

Information Security enthusiast, CISSP, CCSP

Kfir_Dadosh · ‎2018-02-26

The auto width feature is only available in the new Web Log Viewer

Adding custom commands is in the roadmap, and will probably be implement in the following version (post R80.20).

Since implemented on the web, commands will have to run on the server.

BR,

Kfir Dadosh

Scott_Paisley · ‎2022-04-28

if I create a custom profile in smartconsole R81, how do I share it with my colleagues?

Are you a member of CheckMates?

Preferred SmartLog queries and appropriate columns profiles