Hi all,

I would like we shared our best smartlog query and their appropriate columnsprofiles (if you do not choose 'Automatic Profile Selection').

We all should have generalize at least once a query in order to understand if a specific comportment/situation could be found in other firewalls.

And if you do not remember what were your perfect queries, see your complete history (from you SmartLog enabled server):

$SMARTLOGDIR/data/users_settings/<your login name>/history.xml

Queries:

Regarding Endpoint Security Remote Access solutions:

• seeing tunnels activities :

tunnel_test or action:"Key Install" or action:"Failed Log In" OR action:"Log In" OR action:"Log Out" OR action:reject OR action:Update

• connections errors

blade:vpn AND action:Reject ( "endpoint" OR "user" OR "Office Mode" )

• errors authenticating users

"Could not obtain user object" "IKE failure"

Certificates: any alert regarding crl (Certification Revocation List) or certificates‌ (see sk104400‌ for more details)

type:alert (certificate or CRL)

Security Management Log Server : when logs were not able to be sent to it:

"were not sent to log server"

Any TCP state errors listed in sk101221‌ (personally, I've discovered this possibility thanks to  "Max Power" Book Second Edition Released! 😞

tcp (fin OR syn) NOT "both fin" NOT "established"

Every logs of a specific rule (Hit count detail could be useful as well):

{ABC12345-ABC1-ABC1-ABC1-ABC123ABC12}

Columns Profiles:

First of all, did you know that we can generalize our best columns profiles for every or selected users (seesk109512 )?

My default columns profile (for general logs) is:

with which I can see immediately src/dst IPs, src/dst ports and Xlate src/dst and basics.

So : what are your perfect and efficient queries ?