This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pedro_Espindola
Advisor
‎2018-06-26 10:40 AM

Sending syslog from SMB - application fields are blank

Hey guys,

I am sending security logs from a 1490 via syslog to an external log server, but Application Control and URL Filtering fields show as "******":

appi_name="******" app_desc="******" app_id="******" app_category="******" matched_category="******" app_properties="******" app_risk="******" app_rule_id="******" app_rule_name="******"

Is this a limitation or is it because of some kind of privacy setting?

8 Replies
Maarten_Sjouw
Champion
Champion
‎2018-06-26 11:22 AM

I know this is a setting in the OPSec connection, but I have not been able to find anything on the 1400 WEBUI to set anything in this area. I was also browsing through the CLI guide and there is some stuff about the user awareness, which brought the following question to mind; does you log show the user and URL information, or is that obfuscated as well?

On the other hand when this is an centrally managed gateway you could use the log exporter instead from management, this will give you much more control over what is sent to the syslog server.

Regards, Maarten
0 Kudos
Pedro_Espindola
Advisor
‎2018-06-26 01:47 PM
In response to Maarten_Sjouw

Actually, users are shown correctly. Only the fields related to the application are hidden. Check this log from my lab:

<85>2018-06-26T17:44:09.562830-03:00 Jun 26 17:44:07--3:00 192.168.252.1 Action="allow" UUid="{0x5b32a597,0x6,0x52c2737f,0xc0000002}" src="172.20.120.50" dst="216.58.222.78" proto="17" appi_name="******" app_desc="******" app_id="******" app_category="******" matched_category="******" app_properties="******" app_risk="******" app_rule_id="******" app_rule_name="******" app_sig_id="60340654:4" proxy_src_ip="172.20.120.50" user="Administrator(+)" src_user_name="Administrator(+)" snid="d671fcfa" product="Application Control" service="443" s_port="56644"

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-06-26 02:52 PM
In response to Pedro_Espindola

show application-control-engine-settings advanced-settings

could give you a clou but I could not find it, but this could still be something controlled from the dashboard as the box is managed. In the OPSec it is called Log Permissions.

Regards, Maarten
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-07-02 07:42 AM
In response to Maarten_Sjouw

show application-control-engine-settings advanced-settings does not exist in my Firmware 😉

What i know this issue from is sk73400 SmartLog displays some fields with asterisks in logs from Application Control blade or from ....

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-07-02 02:29 PM
In response to G_W_Albrecht

from the  700-1400 appliances R77.20.75 Techincal Reference Guide:

set application-control-engine-settings
set application-control-engine-settings advanced-settings fail-mode <fail-mode>
set application-control-engine-settings
set application-control-engine-settings advanced-settings
set application-control-engine-settings
set application-control-engine-settings advanced-settings enforce-safe-search <enforce-safe-search>
set application-control-engine-settings
set application-control-engine-settings advanced-settings web-site-categorization-mode <web-site-categorization-mode>
set application-control-engine-settings
set application-control-engine-settings advanced-settings track-browse-time
set application-control-engine-settings
set application-control-engine-settings advanced-settings http-referrer-identification <http-referrer-identification>
set application-control-engine-settings
set application-control-engine-settings advanced-settings
show application-control-engine-settings
show application-control-engine-settings advanced-settings

 9 result(s) found.

Regards, Maarten
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-07-02 11:52 PM
In response to Maarten_Sjouw

It is found in Check Point 600/700/1100/1200R/1400 Appliance Guide R77.20.75 p.96 - but in clish, it is not a shown command, that was the reason for my remark 🙂

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Pedro_Espindola
Advisor
‎2018-07-17 10:30 AM

The support team said this is a limitation, the same as described in sk112376 - Logs appear as confidential when configuring a Security Gateway R77.30 Gaia to send logs ...

I will submit a request for enhancement. If Maarten Sjouw and the others could do the same I would be grateful.

Thank you for the help, guys.

Pedro_Espindola
Advisor
‎2018-11-23 02:09 PM

It seems on version R77.20.81 the problem was solved with an option to show these fields:

Show Obfuscated Fields

Sometimes RFEs work!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events