R80.10 Smartview Web or SmartConsole : Exporting A...

Laurent_Le_Foll · ‎2017-08-10

Hello,

From the Smartconsole -> Logs & Monitor -> Log view or from the Smartview Web interface, I would like to export all logs from a filtered log view to CSV. In both cases, I use the "Export to Excel" function but I have two different problems :

In smartconsole, I only get the displayed logs in the CSV, not the complete list of filtered logs. Is there a way to change that ?
In smartview, I can choose the number of logs to export and I have figured out that the exported CSV is on the "New Tab" -> Archive but the CSV file only contains a very limited subset of fields. Is there a way to change the fields exported ?

Thanks.

PhoneBoy · ‎2017-08-10

As far as I know, the "Export to CSV" option only exporting visible fields is a known limitation.

What fields do you want to see in SmartView that are not showing right now?

Laurent_Le_Foll · ‎2017-08-11

I am currently working on SmartEvent policies (especially Scans, Denial of service, Abnomalies policies) and I need to set detection thresholds. One way to adjust them is to use the "Max Num Count Detected" (max_num_count_detected) field we can find in correlated logs. Getting this field for a number of logs for given events could allow me to analyze current behaviours and define baseline thresholds adapted to my traffic.

I have tried to use "fwm logexport" on my log server and filter returned logs (grep, cut,..) but it looks like "fwm logexport" returns inconsistent line format in my case. For example, below is an extract of 3 lines in an export :

;udp;389;;;;;;;;;;2000;IP sweep from internal network;

;udp;389;;;;;;;2000;IP sweep from internal network;

;udp;389;;;;;2000;IP sweep from internal network;

On that part of the export, the number of empty fields is not always the same....

So as I have problems with fwm logexport for the time being, I am trying to figure another way around to export logs with all the fields I am interested in.

Thanks,

PhoneBoy · ‎2017-08-11

fwm logexport output has historically varied.
For sure it only exports raw logs and not events correlated.

If I understand the problem you're trying to solve: You're trying to see how many of a given event is "normal" in your environment so you can adjust SmartEvent detection thresholds to a reasonable value.

I'll see if I can get R&D to provide some guidance here.

Juan_Concepcion · ‎2019-02-25

What is the default location where these files are saved?? I have run this several times and cannot find the csv file.

PhoneBoy · ‎2019-02-25

When you ask for a CSV export, the request is queued and run.

These request may take some time to run.

They may exist somewhere on the management server, but not sure where.

When the job is completed, you should be able to download said CSV file.

Juan_Concepcion · ‎2019-02-25

I have run several jobs, small jobs, and I get the notification that it was completed but no option to download or indication where the file is.

PhoneBoy · ‎2019-02-25

I got one (see below).

But this was on R80.20 SmartView.

Juan_Concepcion · ‎2019-02-26

R80.20 works like a champ. The R80.10 is my challenge.

Juan_Concepcion · ‎2019-02-26

Figured it out – so in R80.10 you do not get the option to download instead you have to go to “Archives” section under “New Tab Catalog” to download the reports created in SmartView:

Juan_Concepcion · ‎2019-02-26

Under "New Tab Catalog" after you've run your export

Juan_Concepcion · ‎2019-04-24

Is there a way to disable resolution in SmartView as you do in SmartConsole Log??

--Juan

Are you a member of CheckMates?

R80.10 Smartview Web or SmartConsole : Exporting ALL filtered logs to CSV