cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

SMB syslog doesn't log action

Jump to solution

So I'm rather shocked by this but I've just learned syslog from a SMB (and possibly none SMB as well) will not log the action field to syslog. I was pointed to sk164514 which I can't seem to access. Not sure if this is internal or not. 

I don't even know what to say about this. I have a firewall that isn't logging via syslog if anything is accepted or denied. Its just saying.. stuff happened... I'm going to take a stab at a log exporter but I have no idea if thats possible without a management server. This is @%^$@#% ridiculous. 

I sure am glad all these items below are getting logged instead of action. I don't know what I would do without knowing where the start or end of the table is (or what that even means). Good to know that the snid is unknown.

Awesome.

 

user="" 
src_user_name="" 
src_machine_name="" 
src_user_dn=""
snid="" 
dst_user_name="" 
dst_machine_name="" 
dst_user_dn="" 
UP_match_table="TABLE_START" 
ROW_START="0" 
match_id="5" 
layer_uuid="9fced3b3-5da9-494d-b7f1-3242694d99f8" 
layer_name="internal" 
rule_uid="00000780-0000-0000-0000-000000000000" 
rule_name="Incoming/Internal Default Policy"
ROW_END="0"
UP_match_table="TABLE_END" 

 I  

1 Solution

Accepted Solutions
Highlighted

Re: SMB syslog doesn't log action

Jump to solution

It only took a public shaming but it looks like this has been resolved.

fw1_vx_dep_R80_992000913_20.img (basically build 913)

contains the fix.

 

Thanks to everyone involved in getting this addressed!

 

View solution in original post

26 Replies
Highlighted

Re: SMB syslog doesn't log action

Jump to solution

Wow. Glad to see its not just me (my post) .  Seems almost inexcusable to have syslogs for a firewall and not have it report the Action.   These logs are completely useless for customers who want to use these logs for any analysis.

0 Kudos
Highlighted

Re: SMB syslog doesn't log action

Jump to solution

Which firewalls you know of do send their security logs including Accept / Deny / Reject actions using syslog ?

0 Kudos
Highlighted

Re: SMB syslog doesn't log action

Jump to solution

Of other vendors: Fortinet, PfSense, Ubiquti Edgerouters...  Pretty sure Cisco ASAs and Palo Altos do this as well.

0 Kudos
Highlighted
Platinum

Re: SMB syslog doesn't log action

Jump to solution

Come on, take it easy. This is apparently some negligence from our lovely vendor. Open SR and they will fix it right away!

0 Kudos
Highlighted

Re: SMB syslog doesn't log action

Jump to solution

🤣🤣🤣🤣🤣🤣🤣

0 Kudos
Highlighted

Re: SMB syslog doesn't log action

Jump to solution

Yeah, I did open a ticket. The reply was R&D will not be fixing this, its a known issue and i'll need to submit a RFE.

Also I can't use log exporter because there is no mgmt server involved (this is local mgmt).

0 Kudos
Highlighted

Re: SMB syslog doesn't log action

Jump to solution

yeah that's a bit strange (to say which do log action). It would make more sense to say of the ones that do send syslog which "don't" indicate what the action was. I mean I can't see why the action would be more or less valuable then the source / destination if the concern was somehow information leakage. As it stands I see no way to get logs off a local manged SMB that are of any use.

Its like I need to pay a management server tax to have external logs. I mean the webui is basically useless for any in depth research since the query language only supports a single element. (src, dst, product etc).

0 Kudos
Highlighted
Platinum

Re: SMB syslog doesn't log action

Jump to solution

I do not remember quite well but I think in R77.20 GE there is action field in syslog records. 

0 Kudos
Highlighted

Re: SMB syslog doesn't log action

Jump to solution

You are %100 correct. Just tested R77.30 open server.

Syslog logs accept and drop messages.

R80.20 open server. Not it doesn't, yes we know, we're not fixing it, go get RFEed.

0 Kudos
Highlighted

Re: SMB syslog doesn't log action

Jump to solution

Obviously, you don't need that syslog information to protect against GEN 6 attacks....

0 Kudos
Highlighted
Platinum

Re: SMB syslog doesn't log action

Jump to solution

There must be a technical explanation as to why it was dropped. May be because of the layered policy... I hope R&D is monitoring this thread and will provide some details about this.

0 Kudos
Highlighted

Re: SMB syslog doesn't log action

Jump to solution

My 14XX with R77.20.87 are working fine.

Are you using 15XX appliances? Must be an issue with the new R80.20 generation.

 

0 Kudos
Highlighted

Re: SMB syslog doesn't log action

Jump to solution

We've confirmed it does not work in r80.xx, but used to work in r77.  For some unknown reason, this was removed and apparently there are no plans to ever add it back.

0 Kudos
Highlighted

Re: SMB syslog doesn't log action

Jump to solution

Correct, it think the core issue is R80.20. I would down grade to R77.20 if that was an option at this point. I'm reaching out to some folks deeper in the org. If this can't be fixed I'm replacing these SMB devices with a different vendor.

0 Kudos
Highlighted
Platinum

Re: SMB syslog doesn't log action

Jump to solution

Go for PaloAlto Networks. These guys have some impressive syslogging:

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslo...

0 Kudos
Highlighted

Re: SMB syslog doesn't log action

Jump to solution

yes they do. That is a lot of data though. I wonder if they're using tcp syslog to avoid fragmenting the messages.

0 Kudos
Highlighted
Employee
Employee

Re: SMB syslog doesn't log action

Jump to solution

Thank for raising this issue.

From a quick internal investigation it seems this limitation was inherited from R80.20 enterprise version syslog feature.

We are learning it in order to provide a solution.

 

Highlighted

Re: SMB syslog doesn't log action

Jump to solution

That is awesome and thank you so much for the update. Should my SR be re-opened?

0 Kudos
Highlighted
Employee
Employee

Re: SMB syslog doesn't log action

Jump to solution

Yes.

0 Kudos
Highlighted
Admin
Admin

Re: SMB syslog doesn't log action

Jump to solution
You talking about the kernel-level syslog feature or something else?
0 Kudos
Highlighted

Re: SMB syslog doesn't log action

Jump to solution

I assume you mean fwsyslog_enable? If so no, i'm not using that. 

I'm talking about..

logs & monitoring -> External Log Servers -> Add a syslog server. This is local mgmt so no SMS/MDS.

0 Kudos
Highlighted
Admin
Admin

Re: SMB syslog doesn't log action

Jump to solution

The question was to @Barel_Tkach, not you. 😬
I figured it was enabled in the UI somehow.

0 Kudos
Highlighted
Employee
Employee

Re: SMB syslog doesn't log action

Jump to solution

There's no issue with OS related syslog,

Missing action is only part of security logs.

0 Kudos
Highlighted

Re: SMB syslog doesn't log action

Jump to solution

It only took a public shaming but it looks like this has been resolved.

fw1_vx_dep_R80_992000913_20.img (basically build 913)

contains the fix.

 

Thanks to everyone involved in getting this addressed!

 

View solution in original post

Highlighted

Re: SMB syslog doesn't log action

Jump to solution

WooHoo!

0 Kudos
Highlighted
Admin
Admin

Re: SMB syslog doesn't log action

Jump to solution
I prefer to think of it as "bringing the truth to light" and addressing it.
0 Kudos