This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Kavan
MVP Gold
MVP Gold
‎2021-06-14 12:00 PM
Jump to solution

query on resource or user_group

I can do a query on service:https for example, but why/how can I query on user_group: or resource:    I found if I use 'resource:PT', no results found.   However, if I just query on PT and leave the 'resource:' part out, the query returns the correct results.     Is it because not all fields are indexed?  If so, is there a way to add a field like resource or user_group to the index?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-06-14 02:10 PM
In response to Daniel_Kavan
Jump to solution

Pretty sure this information comes across via Log Exporter, though I haven't checked.

The fact you can search and find that specific result is a good sign the necessary field is indexed, there just may not be a way to refer to that specific field.

I believe the schema files are in $RTDIR/solr/configsets and you can see what fields are indexed by their internal name.
Theoretically, these can be modified as well, but we don't support this and doing so can cause a significant performance degradation.
An RFE through the local office would be required to confirm if this could be done.

Meanwhile, there is an interesting tidbit in the R81.10 EA release notes that is relevant: "The Solr functionality is replaced with a PostgreSQL database to improve the stability and performance of the Security Management Server."
Solr is used not only for logs, but for searching some parts of the Security Management database as well.
Solr will be removed in R81.10 for non-logging functions, but it will still be used for logs.
In addition, Solr was upgraded as part of R81, which led to some performance/stability improvements.

(Edited statement related to Solr removal on 24 June 2021)

View solution in original post

3 Replies
PhoneBoy
Admin
Admin
‎2021-06-14 12:59 PM
Jump to solution

Not even clear what “resource” means in this context but you are correct not every field is indexed or can be referred to directly in a search.
Adding fields to the search index requires an RFE.
That said, the community feedback has been that R81 has additional fields indexed.

0 Kudos
Daniel_Kavan
MVP Gold
MVP Gold
‎2021-06-14 01:08 PM
In response to PhoneBoy
Jump to solution

Is there a list where you can see what fields are indexed in R80.40 vs R81?   So, it sounds like you can't add a field to be indexed.

Resource is a field in the Forensic details along with Reason and threat Wiki.   I wonder if you do a log_export with the log_exporter toool if Resource and user_group come over.  

0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-14 02:10 PM
In response to Daniel_Kavan
Jump to solution

Pretty sure this information comes across via Log Exporter, though I haven't checked.

The fact you can search and find that specific result is a good sign the necessary field is indexed, there just may not be a way to refer to that specific field.

I believe the schema files are in $RTDIR/solr/configsets and you can see what fields are indexed by their internal name.
Theoretically, these can be modified as well, but we don't support this and doing so can cause a significant performance degradation.
An RFE through the local office would be required to confirm if this could be done.

Meanwhile, there is an interesting tidbit in the R81.10 EA release notes that is relevant: "The Solr functionality is replaced with a PostgreSQL database to improve the stability and performance of the Security Management Server."
Solr is used not only for logs, but for searching some parts of the Security Management database as well.
Solr will be removed in R81.10 for non-logging functions, but it will still be used for logs.
In addition, Solr was upgraded as part of R81, which led to some performance/stability improvements.

(Edited statement related to Solr removal on 24 June 2021)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events