This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_Won
Contributor
‎2019-09-25 07:27 AM

Smartevent not showing any allowed traffic. Only dropped and detected

Blew away our old Smartevent server yesterday and built a new one running R80.10. Fresh install.

Running a separate management and Smartevent server

Did the SIC, licensing, install database and let it do it's thing.

 

I seem to be getting logs but the accept logs stopped after a day. I had run some commands to import the previous months logs. Changed the $INDEXERDIR/log_indexer_custom_settings.conf to that it would index 28 days.

Today I wiped it and tried again. Figured I messed something up on it which caused the stoppage.

Setup went fine with no errors. Hooked up to MGMT server and logs are importing. Problem is that only drop and detect logs are entered again. No allowed logs.

 

Any idea on how to get the other logs to show up?

2222.png1111.png

 
 

 

 

0 Kudos
2 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-09-25 07:47 AM

I would suggest to involve TAC here - it should easily be resolved in a quick RAS...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
David_Won
Contributor
‎2019-09-30 05:53 AM
In response to G_W_Albrecht

Problem Solved

 
I did some googling and eventually came across this.
 
Deploying SmartEvent

SmartEvent Server is integrated with the Security Management Server architecture. It communicates with Security Management Log Servers to read and analyze logs. You can enable SmartEvent on the Security Management Server or deploy it as a dedicated server.

You can deploy R80 SmartEvent on a dedicated server and connect it to Security Management Servers or Multi Domain servers of version R77.xx (or earlier). This lets you extend an R77.xx environment with the new capabilities of R80 SmartEvent.

Only a Security Management Server can also work as a SmartEvent Server. In a Multi-domain environment, you must install SmartEvent on a dedicated server.

Note - For R80, SmartReporter functionality (to generate reports on firewall and VPN activity) is integrated into SmartConsole. To enable this functionality, activate the firewall session event on the SmartEvent Policy tab. Select and enable Consolidated Sessions > Firewall Session. 

 
 
That fixed it.
 
 
It also explains why I got some logs previously which then stopped. I had enabled everything on the policy tab and ended up disabling this one when it caused a ton so spam. 
I guess it needs to stay on but just not send me mail. lol.
 
Either way things are working fine now. 
 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events