- Products
- Learn
- Local User Groups
- Partners
-
More
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
IDC Spotlight -
Uplevel The SOC
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hi Team,
One of the customer environment is running on R80.30. The Audit team found that PBR-related changes are missing in audit logs, but we can see routing changes in the audit log. If it is not possible please share audit log details related to the gateway.
I put the question on you: what precisely are you seeing versus what you expect to see?
If you prefer not to share these details in public, I recommend a TAC case.
We are expecting if someone performs PBR-related changes should be captured in the audit log, the routing changes are captured but PBR changes are missing so if I'm not mistaken PBR related configuration changes should be captured?
Herewith I have shared my lab output..
I
The audit logs in SmartConsole will only show changes made via SmartConsole or the API.
For OS-level changes like routing, the better place to look is /var/log/messages.
This is distributed architecture. The customer wants to feed routing changes, PBR related changes to the SIEM solution. So please recommend the best way to achieve this requirement. We already using log exporter to export security and audit logs to SIEM solution. But the customer is now concern about routing and PBR related changes should be captured by SIEM.
Changing PBR is a configuration change done on the gateways.
To get this in your SIEM solution you have to export audit logs from your gateway to your SIEM or you can send these logs to your management.
Wolfgang
@Wolfgang mentioned configuration already in place. but behaviour is same
did you set a remote system logging server? This should be your SIEM or a syslog server which is forwarding these audit logs to SIEM.
Wolfgang
@Wolfgang This is distributed architecture, the gateway is forwarding to SMS, and SMS will forward to SIEM solution via cp log exporter, where we cannot see PBR changes even in SMS. So I need to know how to pass PBR related changelogs to the SIEM solution
You can configure the Gaia OS to directly send its syslog message elsewhere (e.g. your SIEM solution).
@PhoneBoy if I integrate gateway to SIEM via syslog messages, the concern is SIEM already integrated with SMS, will security logs be duplicated in SIEM solution?
Gaia OS logs and Security Logs are entirely separate things unless you've checked the "Send syslog messages to management server" option as shown above, which is not the default.
Even so, if Gaia OS logs are sent to management, they may not be parsed in the most useful way, particularly if they are then sent to your SIEM.
Highly recommend exporting those logs to your SIEM separately.
So this is very new to me and my team, below are the concerns, if we use a remote system logging mechanism to pass to the SIEM solution
1. which Syslog level needs to be configured to get configuration changes, login failure
2. Do we have any SK regarding Syslog field information since manual field indexing is required which manual procedure
I believe this is a common audit/SIEM integration use case when it comes to BFSI segmentation (If I'm not mistaken, PCIDSS required to capture configuration changes in SIEM)
I would review the messages you are interested in to determine the correct logging level as I do not know them offhand.
The only document I'm aware of that describes Gaia Syslog messages is: https://downloads.checkpoint.com/dc/download.htm?ID=24459
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY