Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
oomph
Explorer

SIEM received truncated logs intermittently

Hello Team - We are observing log truncated issue while using log exporter for SIEM .

 

1 2021-02-17T22:12:13Z mtest2 CheckPoint 11111 - [action:"Drop"; flags:"400644"; .... outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"11179"; service:"2
1 2021-02-17T01:15:22Z mtest2 CheckPoint 11111 - [action:"Drop"; flags:"400644"; .... outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"22262"; service:"2"; service_id:"ABC_tcp-Pro

 .... = Removed other details for brevity

 

The key issue here is that log are getting truncated at service:"2 or service_id:"ABC_tcp-Pro. This is happening periodically.

 

0 Kudos
8 Replies
_Val_
Admin
Admin

What do the actual corresponding logs say? Are they also different?

oomph
Explorer

Hi @_Val_  @Chris_Atkinson  This is irrespective of the log type. We have observed this truncation in different logs. Devices forward log to SIEM on port 601 tcp.
Though this is frequent issue and this is not for all logs. Truncation is intermittent and most of logs truncated at service:"2 or service_id:"ABC_tcp-Pro fields. Any idea why this is happening? Any configuration which could be impacting this

Sample full log :

1 2021-02-17T22:12:13Z mtest2 CheckPoint 11111 - [action:"Drop"; flags:"400644"; .... outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"11179"; service:"212" session_timeout:"0"; src:"1.2.3.4"; status:"Failure"; suppressed_logs:"0"; tunnel_protocol:"IPSec"; user:"ABC"; ]

1 2021-02-17T01:15:22Z mtest2 CheckPoint 11111 - [action:"Drop"; flags:"400644"; .... outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"22262"; service:"2"; service_id:"IKE_tcp-Protocol"; src:"2.3.4.5"; alert:"alert"; update_count:"964"; ]

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Which SIEM platform, also are you working with TAC in parallel?

CCSM R77/R80/ELITE
0 Kudos
_Val_
Admin
Admin

Just to be 100% clear here. Logs can be truncated

  1. on the source log server,
  2. during transfer or
  3. after being received.

I suggested that you look to the specific logs by the time stamps to make sure those logs are fully showing on the log server. That covers p1.

If no oddities there, run a tcpdump somewhere on the middle and try catching logs during transfer, to cover p.2

If you find an indication of logs being truncated for pp 1 or 2, open a TAC case.

If not, look on the receiving server.

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

As Val suggests are these Connection versus Session logs for instance?

Only oddity I've seen encountered otherwise (excluding parser issues) is outlined in sk155593.

CCSM R77/R80/ELITE
Juan_
Collaborator

Mate, try changing the read-mode to "semi-unified" on the instance.

 

cp_log_export set read-mode semi-unified name <name of exporter>

And restart the instance

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Should be the default in R81 and above. @oomph what version is the management?

CCSM R77/R80/ELITE
0 Kudos
oomph
Explorer

Hi @Juan_ its using semi-unified read mode

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events