- CheckMates
- :
- Products
- :
- Quantum
- :
- SMB Gateways (Spark)
- :
- Re: Sending syslog from SMB - application fields a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sending syslog from SMB - application fields are blank
Hey guys,
I am sending security logs from a 1490 via syslog to an external log server, but Application Control and URL Filtering fields show as "******":
appi_name="******" app_desc="******" app_id="******" app_category="******" matched_category="******" app_properties="******" app_risk="******" app_rule_id="******" app_rule_name="******"
Is this a limitation or is it because of some kind of privacy setting?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is a setting in the OPSec connection, but I have not been able to find anything on the 1400 WEBUI to set anything in this area. I was also browsing through the CLI guide and there is some stuff about the user awareness, which brought the following question to mind; does you log show the user and URL information, or is that obfuscated as well?
On the other hand when this is an centrally managed gateway you could use the log exporter instead from management, this will give you much more control over what is sent to the syslog server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, users are shown correctly. Only the fields related to the application are hidden. Check this log from my lab:
<85>2018-06-26T17:44:09.562830-03:00 Jun 26 17:44:07--3:00 192.168.252.1 Action="allow" UUid="{0x5b32a597,0x6,0x52c2737f,0xc0000002}" src="172.20.120.50" dst="216.58.222.78" proto="17" appi_name="******" app_desc="******" app_id="******" app_category="******" matched_category="******" app_properties="******" app_risk="******" app_rule_id="******" app_rule_name="******" app_sig_id="60340654:4" proxy_src_ip="172.20.120.50" user="Administrator(+)" src_user_name="Administrator(+)" snid="d671fcfa" product="Application Control" service="443" s_port="56644"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
show application-control-engine-settings advanced-settings
could give you a clou but I could not find it, but this could still be something controlled from the dashboard as the box is managed. In the OPSec it is called Log Permissions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
show application-control-engine-settings advanced-settings does not exist in my Firmware 😉
What i know this issue from is sk73400 SmartLog displays some fields with asterisks in logs from Application Control blade or from ....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
from the 700-1400 appliances R77.20.75 Techincal Reference Guide:
set application-control-engine-settings set application-control-engine-settings advanced-settings fail-mode <fail-mode> |
set application-control-engine-settings set application-control-engine-settings advanced-settings |
set application-control-engine-settings set application-control-engine-settings advanced-settings enforce-safe-search <enforce-safe-search> |
set application-control-engine-settings set application-control-engine-settings advanced-settings web-site-categorization-mode <web-site-categorization-mode> |
set application-control-engine-settings set application-control-engine-settings advanced-settings track-browse-time |
set application-control-engine-settings set application-control-engine-settings advanced-settings http-referrer-identification <http-referrer-identification> |
set application-control-engine-settings set application-control-engine-settings advanced-settings |
show application-control-engine-settings show application-control-engine-settings advanced-settings |
9 result(s) found.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is found in Check Point 600/700/1100/1200R/1400 Appliance Guide R77.20.75 p.96 - but in clish, it is not a shown command, that was the reason for my remark 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The support team said this is a limitation, the same as described in sk112376 - Logs appear as confidential when configuring a Security Gateway R77.30 Gaia to send logs ...
I will submit a request for enhancement. If Maarten Sjouw and the others could do the same I would be grateful.
Thank you for the help, guys.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems on version R77.20.81 the problem was solved with an option to show these fields:
Sometimes RFEs work!