Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

1550 - Syslog Server - Where's the "Action"?

Hey All,

I'm currently using a checkpoint 1550 configured to send System and Security logs to a simple Ubuntu server running rsyslog.

Going through the logs on the Ubuntu server, it seems like the 1550 is not sending any "Action" information for any of the logs, whether its Drop or Accept.  

Simple Ping that should be Dropped:

Jan 30 11:16:14 Jan 30 11:16:11--5:00 
10.x.x.x
inzone="External" 
outzone="Local" 
service_id="ICMP" 
ICMP="Echo Request" 
src="207.xxx.xxx.xxx" 
dst="128.xxx.xxx.xxx" 
proto="1" 
ICMP Type="8" 
ICMP Code="0" 
user="" 
src_user_name="" 
src_machine_name="" 
src_user_dn=""
snid="" 
dst_user_name="" 
dst_machine_name="" 
dst_user_dn="" 
UP_match_table="TABLE_START" 
ROW_START="0" 
match_id="5" 
layer_uuid="9fced3b3-5da9-494d-b7f1-3242694d99f8" 
layer_name="internal" 
rule_uid="00000780-0000-0000-0000-000000000000" 
rule_name="Incoming/Internal Default Policy"
ROW_END="0"
UP_match_table="TABLE_END" 
ProductName="VPN-1 & FireWall-1" 
ProductFamily=""

 Simple Ping that should be Accepted:

Jan 30 11:24:34 Jan 30 11:24:33--5:00
10.x.x.x 
inzone="Internal" 
outzone="Local" 
service_id="ICMP" 
ICMP="Echo Request" 
src="10.x.x.x" 
dst="10.x.x.x" 
proto="1" 
ICMP Type="8"
ICMP Code="0" 
user="" 
src_user_name=""
src_machine_name=""
src_user_dn=""
snid=""
dst_user_name=""
dst_machine_name=""
dst_user_dn=""
UP_match_table="TABLE_START"
ROW_START="0"
match_id="5"
layer_uuid="9fced3b3-5da9-494d-b7f1-3242694d99f8" 
layer_name="internal"
rule_uid="00000780-0000-0000-0000-000000000000"
rule_name="Incoming/Internal Default Policy"
ROW_END="0" 
UP_match_table="TABLE_END"
ProductName="VPN-1 & FireWall-1"
ProductFamily=""

 

Am I missing something here? Shouldn't there be a field for "Action="?  Perhaps my syslog server has a formatting issue?  Others have told me they can't find the Action field either when looking at syslog files for their 1550.

I plan on using these logs in an Elastic Stack, but without having Action in the logs, it makes the data extremely difficult (and possibly pointless) to use.

0 Kudos
4 Replies
Highlighted

Re: 1550 - Syslog Server - Where's the "Action"?

Also this is a locally managed firewall.

0 Kudos
Highlighted
Admin
Admin

Re: 1550 - Syslog Server - Where's the "Action"?

Might be worth a TAC case to investigate if this is expected behavior or not.
0 Kudos
Highlighted
Sapphire

Re: 1550 - Syslog Server - Where's the "Action"?

Is the Action shown if you look at the log entry in WebGUI logs ?

0 Kudos
Highlighted

Re: 1550 - Syslog Server - Where's the "Action"?

The action is shown perfectly fine in the GUI.

0 Kudos