Preferred SmartLog queries and appropriate columns profiles

Discussion created by Xavier BENSEMHOUN on Feb 18, 2018
Latest reply on Feb 26, 2018 by Kfir Dadosh

Hi all,

I would like we shared our best smartlog query and their appropriate columnsprofiles (if you do not choose 'Automatic Profile Selection').

We all should have generalize at least once a query in order to understand if a specific comportment/situation could be found in other firewalls.

And if you do not remember what were your perfect queries, see your complete history (from you SmartLog enabled server):

$SMARTLOGDIR/data/users_settings/<your login name>/history.xml



Regarding Endpoint Security Remote Access solutions:

  • seeing tunnels activities :

tunnel_test or action:"Key Install" or action:"Failed Log In" OR action:"Log In" OR action:"Log Out" OR action:reject OR action:Update

  • connections errors

blade:vpn AND action:Reject ( "endpoint" OR "user" OR "Office Mode" )

  • errors authenticating users

"Could not obtain user object" "IKE failure"

Certificates: any alert regarding crl (Certification Revocation List) or certificates (see sk104400 for more details)

type:alert (certificate or CRL)

Security Management Log Server : when logs were not able to be sent to it:

"were not sent to log server"

Any TCP state errors listed in sk101221 (personally, I've discovered this possibility thanks to  "Max Power" Book Second Edition Released! ):

tcp (fin OR syn) NOT "both fin" NOT "established"

Every logs of a specific rule (Hit count detail could be useful as well):


Columns Profiles:

First of all, did you know that we can generalize our best columns profiles for every or selected users (seesk109512 )?

My default columns profile (for general logs) is:

with which I can see immediately src/dst IPs, src/dst ports and Xlate src/dst and basics.


So : what are your perfect and efficient queries ?