Hello,

For the purpose of clarity: I am writing this in order to understand how the working scenario of sk72980 looks. I have detailed my experience regarding this in Attempt III below and at this point i am puzzled as i can't find the logs anywhere while i do see LEA going on.

Here goes a very long post!

I am in the somewhat similar situation where i have SMS R80.20 and EP MGMT R80.20. They are separated and working fine in their own jobs.

The first reason to install them separately was prior experience with different HF levels of MGMT and EP and the fact that SB Agent was requesting R77.30.03 and TE was requesting a specific different HF level. 

The second reason to install them separately is that the local CKP team also sold a separate EP MGMT license to the customer and there would be no point in not using it if i can have a dedicated machine to avoid the other prior experience of SMS becoming slow over time as config became bigger and bigger.

The third reason to install them separately is that EP is usually managed by other team than Network Security, This helps with segregation beyond Role Based Admin features of SMS. 

My customer came up with a very normal and plausible request that he would be able to see all the logs in one place. This looked perfectly fine knowing that we have sk35288 (How to enable SmartEvent to read logs from external Security Management Server / externally managed Log Server). I knew it worked, i never suspected that this implies licensing, and i've asked the sk to be updated. So let's start with this log file themed adventure!

Attempt I

Proceeded to configure sk35288 just to discover the error that adding the EP MGMT as a correlation unit cannot be done under SMS with 5 GW license as this one has only one Correlation Unit included. I found out that the 25 version has 4 of those units. The unitary price for a Correlation Unit is 11k compared to the NGSM5 5.9k and EPMGMT 1.5k. I believe the numbers alone show why the customer would not understand why he should pay an extra 11k for seeing his logs in the existing setup. We are speaking about 100 EP Agents. So HW wise the NGSM5 should be able to correlate 100 EP Agents and 1 VE GW. To my memory 1 GW in MGMT licensing is equivalent to 1000 users. 

Here is the error - opened an SR to check and was cordially invited to speak to Account Services. 

Attempt II

Seeing as how the previous attempt ended in failure i went on with the second option. Export syslog.

Proceeded with configuring Log Exporter - Check Point Log Export (sk122323) on the EP MGMT.

This was combined with the well placed checkbox below on the SMS:

After some digging through the dark i managed to also go through SK 102995 (How to export syslog messages from Gaia Security Gateway to a Log Server and view them in SmartView Tracker). The important part was:

[Expert@HostName]# syslog -u ; syslog -r 

This has resulted in a succesful import. But as you would expect in every story there is a twist. And Check Point does sometime like to make the epic one to remember! Logs are unfortunately not parsed.

This is something of a really bad user experience so i decided together with the customer that it cannot be used like this.

There is a possibility to try to augment the result by using sk55020 (How to generate a log parser for third party syslog server). But this would take some time and effort and i don't know what to expect of the results. Anyway if anyone has tried i would be curious to see if it's viable.

Attempt III

Proceeded with sk72980 (How to configure SmartLog/SmartEvent NGSE to read logs from an external Log Server using LEA). This is our thread subject after all. Combined with sk107741 (How to configure SmartEvent NGSE to read logs from an External Log Server using LEA).

Well everything worked according to the instructions. Currently LEA is setup but i have no logs in the Management. Searched for them with fw log and searched for them with Smart Console. Where am i supposed to find them?

I do have LEA communication going on at all times:

17:10:35.000103 IP 10.10.100.100.37989 > 10.10.100.103.18184: Flags [P.], seq 5:9, ack 1, win 29, options [nop,nop,TS val 481979821 ecr 481826465], length 4

17:10:35.000159 IP 10.10.100.103.18184 > 10.10.100.100.37989: Flags [.], ack 9, win 29, options [nop,nop,TS val 481826465 ecr 481979821], length 0

Possible Future Attempt IV

I am thinking there should be a possibility to use sk72980/sk107741/sk35288 examples and edit $INDEXERDIR files and duplicate the :folder ("/opt/CPsuite-R80.20/fw1/log") line to point to a second folder where you could possibly copy the files from the EP MGMT using a script. Have not tested but this looks like the last option i have.

[Expert@ckp-mgmt-1:0]# cat log_indexer_custom_settings.conf

(

        :data ("/opt/CPrt-R80.20/log_indexer/data")

        :server_port ("127.0.0.1:18244")

        :dns_resolving (true)

        :dns_backresolving (true)

        :connections (

                :domain (

                        :management (

                                :name (127.0.0.1)

                                :uuid ()

                                :log_files (all)

                                :is_local (true)

                                :read_mode (CPMI)

                        )

                        :log_servers (

                                : (

                                        :name (127.0.0.1)

                                        :uuid ()

                                        :log_files (all)

                                        :folder ("/opt/CPsuite-R80.20/fw1/log")

                                        :is_local (true)

                                        :read_mode (FILES)

                                )

                           )

                )

       )

        :max_disk_space_usage (0)

Well that was a long post. Thanks for bearing with me.

Thanks,

Cezar