Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vengatesh_SR
Contributor

Queries in Checkpoint related to logs.

Checkpoint local user- related logs storage path

Can we configure any alert in firewall which notifies the password change related logs

2 Replies
Kaspars_Zibarts
Employee Employee
Employee

you can see password changes in the messages file, for example just grep for "pass"

[Expert@fw1:0]# grep -i pass messages

User admin changing password interactively:

Jun 4 05:13:23 2018 fw1 xpand[16234]: User entry created for "admin" in the password database
Jun 4 05:13:23 2018 fw1 xpand[16234]: admin localhost p -passwd:admin:lastchg 1507809353
Jun 4 05:13:23 2018 fw1 xpand[16234]: admin localhost p +passwd:admin:lastchg 1528100003
Jun 4 05:13:23 2018 fw1 xpand[16234]: admin localhost p -passwd:admin:passwd ********************************
Jun 4 05:13:23 2018 fw1 xpand[16234]: admin localhost p +passwd:admin:passwd **********************************

where 1528100003 is the EPOC time you may convert with any tools, for example 

date -d '1970-01-01 UTC + 1528100003 seconds'
Mon Jun 4 05:13:23 ART 2018

Expert password set with hash instead of interactive:


Jun 4 06:55:47 2018 fw1 clish[13821]: cmd by admin: Start executing : set expert-password-hash ... (cmd md5: ecb7a46d62f313d7f1cc2bc0dacbfbd9)

Then generating alerts would be up to you - you can write scripts, do polling etc depending on the destination of the alert

0 Kudos
PhoneBoy
Admin
Admin

If you're wanting to get the Gaia OS logs into SmartLog so you can run SmartEvent reports, refer to: How to export syslog messages from Security Gateway on Gaia OS to a Log Server and view them in Smar... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events