Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Pedro_Espindola
Advisor

Sending syslog from SMB - application fields are blank

Hey guys,

I am sending security logs from a 1490 via syslog to an external log server, but Application Control and URL Filtering fields show as "******":

appi_name="******" app_desc="******" app_id="******" app_category="******" matched_category="******" app_properties="******" app_risk="******" app_rule_id="******" app_rule_name="******"

Is this a limitation or is it because of some kind of privacy setting?

8 Replies
Maarten_Sjouw
Champion
Champion

I know this is a setting in the OPSec connection, but I have not been able to find anything on the 1400 WEBUI to set anything in this area. I was also browsing through the CLI guide and there is some stuff about the user awareness, which brought the following question to mind; does you log show the user and URL information, or is that obfuscated as well?

On the other hand when this is an centrally managed gateway you could use the log exporter instead from management, this will give you much more control over what is sent to the syslog server.

Regards, Maarten
0 Kudos
Pedro_Espindola
Advisor

Actually, users are shown correctly. Only the fields related to the application are hidden. Check this log from my lab:

<85>2018-06-26T17:44:09.562830-03:00 Jun 26 17:44:07--3:00 192.168.252.1 Action="allow" UUid="{0x5b32a597,0x6,0x52c2737f,0xc0000002}" src="172.20.120.50" dst="216.58.222.78" proto="17" appi_name="******" app_desc="******" app_id="******" app_category="******" matched_category="******" app_properties="******" app_risk="******" app_rule_id="******" app_rule_name="******" app_sig_id="60340654:4" proxy_src_ip="172.20.120.50" user="Administrator(+)" src_user_name="Administrator(+)" snid="d671fcfa" product="Application Control" service="443" s_port="56644"

0 Kudos
Maarten_Sjouw
Champion
Champion

show application-control-engine-settings advanced-settings

could give you a clou but I could not find it, but this could still be something controlled from the dashboard as the box is managed. In the OPSec it is called Log Permissions.

Regards, Maarten
0 Kudos
G_W_Albrecht
Legend
Legend

show application-control-engine-settings advanced-settings does not exist in my Firmware 😉

What i know this issue from is sk73400 SmartLog displays some fields with asterisks in logs from Application Control blade or from ....

CCSE CCTE CCSM SMB Specialist
0 Kudos
Maarten_Sjouw
Champion
Champion

from the  700-1400 appliances R77.20.75 Techincal Reference Guide:

set application-control-engine-settings
set application-control-engine-settings advanced-settings fail-mode <fail-mode>
set application-control-engine-settings
set application-control-engine-settings advanced-settings
set application-control-engine-settings
set application-control-engine-settings advanced-settings enforce-safe-search <enforce-safe-search>
set application-control-engine-settings
set application-control-engine-settings advanced-settings web-site-categorization-mode <web-site-categorization-mode>
set application-control-engine-settings
set application-control-engine-settings advanced-settings track-browse-time
set application-control-engine-settings
set application-control-engine-settings advanced-settings http-referrer-identification <http-referrer-identification>
set application-control-engine-settings
set application-control-engine-settings advanced-settings
show application-control-engine-settings
show application-control-engine-settings advanced-settings

 9 result(s) found.

Regards, Maarten
0 Kudos
G_W_Albrecht
Legend
Legend

It is found in Check Point 600/700/1100/1200R/1400 Appliance Guide R77.20.75 p.96 - but in clish, it is not a shown command, that was the reason for my remark 🙂

CCSE CCTE CCSM SMB Specialist
0 Kudos
Pedro_Espindola
Advisor

The support team said this is a limitation, the same as described in sk112376 - Logs appear as confidential when configuring a Security Gateway R77.30 Gaia to send logs ...

I will submit a request for enhancement. If Maarten Sjouw and the others could do the same I would be grateful.

Thank you for the help, guys.

Pedro_Espindola
Advisor

It seems on version R77.20.81 the problem was solved with an option to show these fields:

Show Obfuscated Fields

Sometimes RFEs work!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events