- CheckMates
- :
- Products
- :
- Quantum
- :
- SMB Gateways (Spark)
- :
- Re: SMB syslog doesn't log action
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SMB syslog doesn't log action
So I'm rather shocked by this but I've just learned syslog from a SMB (and possibly none SMB as well) will not log the action field to syslog. I was pointed to sk164514 which I can't seem to access. Not sure if this is internal or not.
I don't even know what to say about this. I have a firewall that isn't logging via syslog if anything is accepted or denied. Its just saying.. stuff happened... I'm going to take a stab at a log exporter but I have no idea if thats possible without a management server. This is @%^$@#% ridiculous.
I sure am glad all these items below are getting logged instead of action. I don't know what I would do without knowing where the start or end of the table is (or what that even means). Good to know that the snid is unknown.
Awesome.
user="" src_user_name="" src_machine_name="" src_user_dn="" snid="" dst_user_name="" dst_machine_name="" dst_user_dn="" UP_match_table="TABLE_START" ROW_START="0" match_id="5" layer_uuid="9fced3b3-5da9-494d-b7f1-3242694d99f8" layer_name="internal" rule_uid="00000780-0000-0000-0000-000000000000" rule_name="Incoming/Internal Default Policy" ROW_END="0" UP_match_table="TABLE_END"
I
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It only took a public shaming but it looks like this has been resolved.
fw1_vx_dep_R80_992000913_20.img (basically build 913)
contains the fix.
Thanks to everyone involved in getting this addressed!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wow. Glad to see its not just me (my post) . Seems almost inexcusable to have syslogs for a firewall and not have it report the Action. These logs are completely useless for customers who want to use these logs for any analysis.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which firewalls you know of do send their security logs including Accept / Deny / Reject actions using syslog ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Of other vendors: Fortinet, PfSense, Ubiquti Edgerouters... Pretty sure Cisco ASAs and Palo Altos do this as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Come on, take it easy. This is apparently some negligence from our lovely vendor. Open SR and they will fix it right away!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
🤣🤣🤣🤣🤣🤣🤣
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, I did open a ticket. The reply was R&D will not be fixing this, its a known issue and i'll need to submit a RFE.
Also I can't use log exporter because there is no mgmt server involved (this is local mgmt).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeah that's a bit strange (to say which do log action). It would make more sense to say of the ones that do send syslog which "don't" indicate what the action was. I mean I can't see why the action would be more or less valuable then the source / destination if the concern was somehow information leakage. As it stands I see no way to get logs off a local manged SMB that are of any use.
Its like I need to pay a management server tax to have external logs. I mean the webui is basically useless for any in depth research since the query language only supports a single element. (src, dst, product etc).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not remember quite well but I think in R77.20 GE there is action field in syslog records.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are %100 correct. Just tested R77.30 open server.
Syslog logs accept and drop messages.
R80.20 open server. Not it doesn't, yes we know, we're not fixing it, go get RFEed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Obviously, you don't need that syslog information to protect against GEN 6 attacks....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There must be a technical explanation as to why it was dropped. May be because of the layered policy... I hope R&D is monitoring this thread and will provide some details about this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My 14XX with R77.20.87 are working fine.
Are you using 15XX appliances? Must be an issue with the new R80.20 generation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We've confirmed it does not work in r80.xx, but used to work in r77. For some unknown reason, this was removed and apparently there are no plans to ever add it back.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct, it think the core issue is R80.20. I would down grade to R77.20 if that was an option at this point. I'm reaching out to some folks deeper in the org. If this can't be fixed I'm replacing these SMB devices with a different vendor.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Go for PaloAlto Networks. These guys have some impressive syslogging:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes they do. That is a lot of data though. I wonder if they're using tcp syslog to avoid fragmenting the messages.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank for raising this issue.
From a quick internal investigation it seems this limitation was inherited from R80.20 enterprise version syslog feature.
We are learning it in order to provide a solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is awesome and thank you so much for the update. Should my SR be re-opened?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume you mean fwsyslog_enable? If so no, i'm not using that.
I'm talking about..
logs & monitoring -> External Log Servers -> Add a syslog server. This is local mgmt so no SMS/MDS.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The question was to @Barel_Tkach, not you. 😬
I figured it was enabled in the UI somehow.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There's no issue with OS related syslog,
Missing action is only part of security logs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It only took a public shaming but it looks like this has been resolved.
fw1_vx_dep_R80_992000913_20.img (basically build 913)
contains the fix.
Thanks to everyone involved in getting this addressed!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WooHoo!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content