This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Checkme19
Explorer
‎2023-12-10 10:09 AM

Loguid and session id issue (suppressed log time problem on splunk)

Hello Team,

We wanted create a report about cvss tag. There is condition if IP address send a request more than 10 with cvss tag up 9, this report is going to trigger. We check cvss tag fields for up or equals than cvss_9 on IPS blade. However suppressed logs count or log time on GUI and splunk doesnt match. We faced situation that loguid and session id same on Cp CLI but while ı check log that comes form Cp on splunk server with tcpdump loguid and session id are different. We are stuck here. Can anybody explain this stuation?

 

Labels
0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2023-12-14 12:46 PM

How precisely are you verifying that loguid and session id are the same?
Also, what version/JHF of management?

0 Kudos
Checkme19
Explorer
‎2023-12-14 07:17 PM
In response to PhoneBoy

Hi,

Some guys form the checkpoint support check our system and showed us. They blame splunk but our logs comes different before splunk server reading. Then I couldnt wait anymore because case took more than 3 month and after countless meeting I would like to ask comminity. Im not sure about version,but possible we use latest version.if this information so critical just  let me now and then I can learn.

This guys said you can use session id for understanding but in same day We have 1 session id and 3 log uid that belongs this session id. Time doesnt match on splunk. Therefore I cant create report with this data on Splunk.

 

Thanks for your time,

0 Kudos
PhoneBoy
Admin
Admin
‎2023-12-15 10:21 AM
In response to Checkme19

On the Check Point side of things, we correlate multiple logs into a single session that can be viewed in SmartView.
It makes logical sense that we would communicate this to an external SIEM, thus why we have separate loguid and session id fields.
It is up to the external SIEM to correctly process this information.

The only possible "bug" I see is in the details behind this statement: "We faced situation that loguid and session id same on Cp CLI but while ı check log that comes form Cp on splunk server with tcpdump loguid and session id are different."
How exactly did you attempt to verify this via the CLI and what version/JHF were these commands executed on?
Screenshots (with sensitive details redacted) of both CLI and SmartView output of the relevant logs might help.

However, I don't believe the above is really relevant to the issue you're experiencing.
From your description of the situation, Log Exporter is operating as expected.
More details would need to be provided to prove otherwise.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events