Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wolfgang
Authority
Authority
Jump to solution

search in log for "PenaltyBox" not possible

Hello CheckMates,

it's not possible to search in logs for entries blocked by PenaltyBox-feature  (fwaccel dos pbox...)

Search for "Penalty" or "DOS" brings no results. Looks like these fields are not indexed ?

Why not? Every shown field should be searchable.

Any way to find these logs without to know the source IP ?

2021-05-28 09_38_38_penaltyBox_drop.png

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Authority
Authority

small update….

With R81 the comment field is searchable. Now you can search „penalty box“ and there are results shown 😀

View solution in original post

7 Replies
PhoneBoy
Admin
Admin

Not every log field is indexed is for performance reasons.
That does make certain logs…harder to find.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @Wolfgang,

Not all fields in SmartLog are displayed in the console. In sk144192  there are more log fields described that you can use.

Maybe the following fields can help:
- securexl_message

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Wolfgang
Authority
Authority

@HeikoAnkenbrand  and @PhoneBoy 

No chance at all. None of the shown fields "SecureXL Message", "comment" or "Feature Name" is available to a filter.

Same in old Logviewer.

I'm not happy that you had no chance to find an information if the PenaltyBox is detecting something 😞

Wolfgang
Authority
Authority

small update….

With R81 the comment field is searchable. Now you can search „penalty box“ and there are results shown 😀

PhoneBoy
Admin
Admin

I suspect there were some "under the hood" changes in R81 given you have to reindex all the logs when you upgrade.
Also, an interesting tidbit in the R81.10 EA release notes: The Solr functionality is replaced with a PostgreSQL database to improve the stability and performance of the Security Management Server.
Which means: more under the hood changes are coming 🙂

olliM
Explorer

Hi Wolfgang,

we had the same issue with R80.x. Because there was no solution for that, i tested some filter combinations and found a workaround.

Using the following filter to display the needed infos in logs:

(type:"Alert") and not (src:"ips of your internal network" or dst:"your ips from external networks")

It may be necessery to select or edit the correct profile for displaying the field "Firewall Message" in the logging table.

0 Kudos
CheckPointerXL
Advisor
Advisor

you can try with "penalty box"

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events