Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tomer_Sole
Mentor
Mentor

Share your custom SmartView views & reports at CheckMates

Hi everyone,

 

R80.10 SmartEvent has a very capable engine for customized views and reports based on logs & audit logs. The front-end is called SmartView.

 

We want to use this community to share our customized dashboards and reports created with SmartView.

 

Let's have this thread as the main discussion of all custom reports - so that newcomers to SmartEvent will have one place with a repository of custom reports to choose from. I'm thinking of having this thread as the UI-equivalent of the highly popular My Top 3 Check Point CLI commands  Smiley Happy

31 Replies
Tomer_Sole
Mentor
Mentor

Using SmartView for Change Management:

 

R80.10 SmartView works with logs as well as audit logs.

In this example, I created a new customized report to describe what were the changes that my administrators performed this week. I used the Cloud Demo Mode for the data.

Please unzip the attached file, and import the .cpr file to your SmartConsole. 

 

 

 

Vladimir
Champion
Champion

I've noticed that "Policies" and "Sessions" numbers in your report are identical as were in mine. I suspect this is incorrect.

0 Kudos
Tomer_Sole
Mentor
Mentor

If both of us used the Cloud Demo Mode which goes live with the same fake logs data then this makes sense.

0 Kudos
Vladimir
Champion
Champion

Nope, run it in my lab.

0 Kudos
Christopher_Ta1
Contributor

I just want to view in the report who did the changes (delete object)?

0 Kudos
Tomer_Sole
Mentor
Mentor

Edit this widget and choose to add the column "Administrator".

Matt_Taber
Contributor

Great share, thank you!  I was starting to manually build this report when I decided to check out Checkmates.

0 Kudos
-TJ-
Participant

I'm loving this report!   or at least I was, until I ran it.

 

Does anyone else use Section Titles?  I do.   Lots of them.   Every time a section title is "expanded" or "collapsed" it is recorded as a Modify Object in the audit log (pointless, I know).

I can filter these out in SmartView tracker, but I can't seem to get rid of them in this report.  I end up with the example below, instead of Tomer's pretty results

section_report.png

 

0 Kudos
genisis__
Leader Leader
Leader

Has this been updated for R81.x? 

 

I used the report and the summary page is nice.

When we go down to the changes in each session section for a months worth there is very little information, it almost looks like this section is not picking up the change data correctly.

0 Kudos
CredID
Participant

same problem, did you find a solution?

0 Kudos
CredID
Participant

HI, I uploaded your change management report install and publish graph are fine but the change in the session if I select last 7 days as period do show only the change on several days...

I checked and in the audit logs the changes are logged,

any ideawhy the report do not show all the changes?

0 Kudos
Amir_Senn
Employee
Employee

I would try 2 things:
1) On your SmartEvent server (SmartEvent keeps separate indexes set than a log server) check ls -lh $RTDIR/log_indexes/ | grep audit* . This will show how far back you have indexes. In case you don't have the relevant indexes, it's possible that relevant partition is full and server does emergency cleanup and deletes older indexes (oldest first).

2) Make sure that the graph has automatic resolution on it:

1.PNG

 

If this doesn't help, please send screenshots.

Kind regards, Amir Senn
0 Kudos
Tomer_Sole
Mentor
Mentor

To share:

1. Export your view or report, either within SmartConsole or from your web browser by clicking here:

2. Open a new tab

3. Navigate to Scheduled Reports-->Archive

4. Find your exported view or report in the list and choose "Download". Save this .cpr file on your computer

5. Now go back to the CheckMates Community and choose to post a new file. 

By default, a posted file is a thread of its own, and other users can comment on it. You can choose whether you want to keep these settings, or lock users 

In the next steps, we will make sure that we don't go lost by pointing the file to this thread rather than a thread per file.

 

6. For the clarity of things, you can rename the name of the posted file and add some comments, most importantly - make sure that you post this file under Logs & Monitor.

7. In order to avoid confusion, let's have this thread as the main discussion of all custom reports - so that newcomers to SmartEvent will have one place with a repository of custom reports to choose from. I'm thinking of having this thread as the UI-equivalent of the highly popular My Top 3 Check Point CLI commands  Smiley Happy

Do this by restricting users from commenting on the topic that was opened for your newly-uploaded file:

8. OK - you have your file posted, now reply in this thread with the link, and add a nice screenshot.

To import a shared file:

In SmartConsole or in your browser, open a new SmartView tab, and choose "Import".

Please note that imported views will appear at the Views page and imported reports will appear at the Reports page. So you may end up importing a report file at Views only to found out it went to the Reports page.

Marco_Valenti
Advisor

Nice work thanks for sharing , trying to set up this report for multidomain at the moment

Kaspars_Zibarts
Employee Employee
Employee

Silly Q: in MDS case what are actual SmartEvent license requirements? Is it per CMA?

Marco_Valenti
Advisor

smart event license is required for using smartview and if I am correct it is not relative to the cma as long you activate the cma in the smart event ofc Smiley Happy

0 Kudos
PhoneBoy
Admin
Admin

In an MDS environment, I believe you have to run SmartEvent on a separate server entirely.

It's licensed based on number of gateways.

That said, I believe SmartView should work without a SmartEvent license since it is also a log viewer.

Kfir_Dadosh
Collaborator

SmartEvent is global and so is the license.

Make sure to assign global policy from MDS and connect to the MDS or CMA ip.

Vladimir
Champion
Champion

Tomer,

Thank you for sharing and I intend to do the same, should I come-up with something worthy:)

Can you suggest how to configure report for the Remote Access duration summary and per user filtered over time?

0 Kudos
Kim_Moberg
Advisor

Tomer,

Awsome idea. What are the intention of the report? what time frame should be used here?

I mean, I understand the report intention is to track all changes made.

I have imported your report, but the 3rd page doesn't how all changes.. For example if I generate one report from January 1st until today, I know that I made a lot of changes, and the result on page 3, doesn't show all the changes.

Are your intention on weekly basis to generate this kind of report or what are the time line acceptance for this report?

Kim

Best Regards
Kim
Tomer_Sole
Mentor
Mentor

Reports are generated weekly. 

0 Kudos
Kim_Moberg
Advisor

I am trying to use some parts of your report and some from views from a view called cyber kill view made by a collegue of yours. It is a view based on Lockhead Martins Cyber Kill Chain.

So combined with your change mgmt / Audit logs I might being able to generate a Weekly report 

When I can the report i only got three pages but when I can the report as a view I had a lot of entries on page 3.

Kim

Best Regards
Kim
0 Kudos
Chad_Hubich
Participant

I made this change to make 'Changes in each session' span multiple pages:

Options > Edit > View Settings > Split table across multiple pages with No page limit

View Settings

Vladimir
Champion
Champion

Guys,

I feel like a complete schmuck: I cannot figure out how to create a report for the remote access activity with summary for all users and individual users' logon/logoff and duration.

Help?

0 Kudos
Vladimir
Champion
Champion

Never mind, there is a bug in your widgets that prevents them from graphing the right stuff: the Duration is being measured in quantities of something, rather than time. Please kick it to RnD to take a look at. See https://community.checkpoint.com/thread/7343-buggy-widgets  post for details.

Thank you,

Vladimir

Kiran_Naidu1
Participant

There are two steps, 
a: To customize the report to get the remote access login and logout 
b: Overcame the limitation of the number of logs shown in the single report(As it is difficult to fetch the report for more 500 login logoff events)
A: Customize the report to get the remote access login and logout 
 1: I have used existing "detailed user activity" and cloned it.
2: Click on the options on the top right side, select "Report filter"
3: under 'blades' option select the Mobile Access & Secure Client. Removed other blades.
4:  Select the 'settings' and remove all the tabs. now select time, client name action and blade. (add extra tabs based on your requirement, also change the number of logs as per your requirement )
B: Please the find the changes done on the event server to overcome size limitation in the report.
1: Select and open the Report.
2: Click on the options on the top right side, select the edit.
3: Table setting tab is opened, now change Maximum number of logs from default 500 to 100000(We can choose any number based on the requirement. But it will have a performance impact)
4: We were able to increase the number of logs shown in a single report.
Try the above and let me know if you face any issues or any other questions.
Vladimir
Champion
Champion

Thank you Kiran!

I'll give it a shot next time I'm working with the client that have requested it and will let you know.

Vladimir
Champion
Champion

Tomer,

Is there now a dedicated repository with the custom views and reports?

I only see few links in a few posts and no indications if any of the views were updated or changed over time.

Additionally, there were few problems with some of the widgets that I've been told would be fixed in the future (the future is now) and there is no way to track any of it.

Thank you,

Vladimir

0 Kudos
DeletedUser
Not applicable

May I suggest Tomer edit the original post and provide there a list with links to each report/view? Another option is to create a category Imports and there only include posts with this category label.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events