Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
User-checkpoint
Explorer

PBR configuration is missing on Audit log

Hi Team,

One of the customer environment is running on R80.30. The Audit team found that PBR-related changes are missing in audit logs, but we can see routing changes in the audit log. If it is not possible please share audit log details related to the gateway.

0 Kudos
13 Replies
PhoneBoy
Admin
Admin

I put the question on you: what precisely are you seeing versus what you expect to see?
If you prefer not to share these details in public, I recommend a TAC case.

0 Kudos
User-checkpoint
Explorer

We are expecting if someone performs PBR-related changes should be captured in the audit log, the routing changes are captured but PBR changes are missing so if I'm not mistaken PBR related configuration changes should be captured?

Herewith I have shared my lab output..

IMG.PNG

0 Kudos
PhoneBoy
Admin
Admin

The audit logs in SmartConsole will only show changes made via SmartConsole or the API. 
For OS-level changes like routing, the better place to look is /var/log/messages.

0 Kudos
User-checkpoint
Explorer

This is distributed architecture. The customer wants to feed routing changes, PBR related changes to the SIEM solution. So please recommend the best way to achieve this requirement. We already using log exporter to export security and audit logs to SIEM solution. But the customer is now concern about routing and PBR related changes should be captured by SIEM.

0 Kudos
Wolfgang
Authority
Authority

@User-checkpoint 

Changing PBR is a configuration change done on the gateways.

To get this in your SIEM solution you have to export audit logs from your gateway to your SIEM or you can send these logs to your management.

screen.png 

 

 

 

 

 

 

 

 

 

Wolfgang

0 Kudos
User-checkpoint
Explorer

@Wolfgang mentioned configuration already in place. but behaviour is same

0 Kudos
Wolfgang
Authority
Authority

@User-checkpoint 

did you set a remote system logging server? This should be your SIEM or a syslog server which is forwarding these audit logs to SIEM.

Wolfgang

0 Kudos
User-checkpoint
Explorer

@Wolfgang This is distributed architecture, the gateway is forwarding to SMS, and SMS will forward to SIEM solution via cp log exporter, where we cannot see PBR changes even in SMS. So I need to know how to pass PBR related changelogs to the SIEM solution

0 Kudos
PhoneBoy
Admin
Admin

You can configure the Gaia OS to directly send its syslog message elsewhere (e.g. your SIEM solution).

0 Kudos
User-checkpoint
Explorer

@PhoneBoy  if I integrate gateway to SIEM via syslog messages, the concern is SIEM already integrated with SMS, will security logs be duplicated in SIEM solution? 

 

0 Kudos
PhoneBoy
Admin
Admin

Gaia OS logs and Security Logs are entirely separate things unless you've checked the "Send syslog messages to management server" option as shown above, which is not the default.
Even so, if Gaia OS logs are sent to management, they may not be parsed in the most useful way, particularly if they are then sent to your SIEM. 
Highly recommend exporting those logs to your SIEM separately.

0 Kudos
User-checkpoint
Explorer

So this is very new to me and my team, below are the concerns, if we use a remote system logging mechanism to pass to the SIEM solution

1. which Syslog level needs to be configured to get configuration changes, login failure

2. Do we have any SK regarding Syslog field information since manual field indexing is required which manual procedure

I believe this is a common audit/SIEM integration use case when it comes to BFSI segmentation (If I'm not mistaken, PCIDSS required to capture configuration changes in SIEM)

0 Kudos
PhoneBoy
Admin
Admin

I would review the messages you are interested in to determine the correct logging level as I do not know them offhand.
The only document I'm aware of that describes Gaia Syslog messages is: https://downloads.checkpoint.com/dc/download.htm?ID=24459 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events