Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
sajin
Contributor

Smart Event not showing Accepted Log

Jump to solution

Smart Event not showing Accepted and the Clean up rule is ANY ANY ALLOW. 

In the Event when i select the policy package in the filter, the ACCEPT logs shows 0. I changed the Log  to Detailed and Extended and after the Accept log was available but when expanding the logs again it shows only DETECT logs.

Please any one help on this issue.

1 Solution

Accepted Solutions
Dror_Aharony
Employee
Employee

What Phoneboy suggested is the older but possible option to correlate FW logs into Correlated Events that the SME will show (should work).

the better R80.10 & above alternative option is to generate a 'Session' log from your FW Rulebase policy, as All Session logs are indexed & shown by the SME.

using this method, you can decide which rules specifically to log into Session logs to also get indexed & shown by the SME.

How-To: Relevant rule > Track > R-Click > More > Activate log 'per Session'.

I'd advise to disable the 1st suggested option of activating Consolidated FW Sessions, if you decide on the 2nd Rulebase 'per Session' option, as it only puts an unnecessary load on your SME server to consolidate All FW logs into correlated events.

 

 

 

 

View solution in original post

0 Kudos
Reply
8 Replies
PhoneBoy
Admin
Admin
Generally firewall logs are NOT correlated by SmartEvent by default.
They must be enabled in the Event Policy.
sajin
Contributor

Is the above solution works for Rule Name and Rule Number Filter as am not able to filter with these two option.

PhoneBoy
Admin
Admin

You need to ensure Firewall Sessions are correlated (they are not by default).
Click on Logs and Monitor > New Tab > SmartEvent Settings and Policy and enable Firewall Sessions as shown.
Push the Event Policy afterwords.

Capture.PNG

abihsot__
Advisor

Hello,

I did it as per screenshot, however I don't see any events from firewall blade.  Am I missing something more? 

PhoneBoy
Admin
Admin
What is it that you're actually trying to get from SmartEvent related to these logs?
0 Kudos
Reply
tpoole_global
Employee
Employee
SE does not correlate standard fw logs by default.
Dror_Aharony
Employee
Employee

What Phoneboy suggested is the older but possible option to correlate FW logs into Correlated Events that the SME will show (should work).

the better R80.10 & above alternative option is to generate a 'Session' log from your FW Rulebase policy, as All Session logs are indexed & shown by the SME.

using this method, you can decide which rules specifically to log into Session logs to also get indexed & shown by the SME.

How-To: Relevant rule > Track > R-Click > More > Activate log 'per Session'.

I'd advise to disable the 1st suggested option of activating Consolidated FW Sessions, if you decide on the 2nd Rulebase 'per Session' option, as it only puts an unnecessary load on your SME server to consolidate All FW logs into correlated events.

 

 

 

 

View solution in original post

0 Kudos
Reply
abihsot__
Advisor

Very nice! This is exactly what I wanted. Now in SmartEvent I can see statistics of how many connections were made and how much data was transferred. Thanks!

0 Kudos
Reply