Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
John_Fleming
Advisor
Jump to solution

SMB syslog doesn't log action

So I'm rather shocked by this but I've just learned syslog from a SMB (and possibly none SMB as well) will not log the action field to syslog. I was pointed to sk164514 which I can't seem to access. Not sure if this is internal or not. 

I don't even know what to say about this. I have a firewall that isn't logging via syslog if anything is accepted or denied. Its just saying.. stuff happened... I'm going to take a stab at a log exporter but I have no idea if thats possible without a management server. This is @%^$@#% ridiculous. 

I sure am glad all these items below are getting logged instead of action. I don't know what I would do without knowing where the start or end of the table is (or what that even means). Good to know that the snid is unknown.

Awesome.

 

user="" 
src_user_name="" 
src_machine_name="" 
src_user_dn=""
snid="" 
dst_user_name="" 
dst_machine_name="" 
dst_user_dn="" 
UP_match_table="TABLE_START" 
ROW_START="0" 
match_id="5" 
layer_uuid="9fced3b3-5da9-494d-b7f1-3242694d99f8" 
layer_name="internal" 
rule_uid="00000780-0000-0000-0000-000000000000" 
rule_name="Incoming/Internal Default Policy"
ROW_END="0"
UP_match_table="TABLE_END" 

 I  

1 Solution

Accepted Solutions
John_Fleming
Advisor

It only took a public shaming but it looks like this has been resolved.

fw1_vx_dep_R80_992000913_20.img (basically build 913)

contains the fix.

 

Thanks to everyone involved in getting this addressed!

 

View solution in original post

26 Replies
Max_Baumgarten
Contributor

Wow. Glad to see its not just me (my post) .  Seems almost inexcusable to have syslogs for a firewall and not have it report the Action.   These logs are completely useless for customers who want to use these logs for any analysis.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Which firewalls you know of do send their security logs including Accept / Deny / Reject actions using syslog ?

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Max_Baumgarten
Contributor

Of other vendors: Fortinet, PfSense, Ubiquti Edgerouters...  Pretty sure Cisco ASAs and Palo Altos do this as well.

0 Kudos
HristoGrigorov

Come on, take it easy. This is apparently some negligence from our lovely vendor. Open SR and they will fix it right away!

0 Kudos
Max_Baumgarten
Contributor

🤣🤣🤣🤣🤣🤣🤣

0 Kudos
John_Fleming
Advisor

Yeah, I did open a ticket. The reply was R&D will not be fixing this, its a known issue and i'll need to submit a RFE.

Also I can't use log exporter because there is no mgmt server involved (this is local mgmt).

0 Kudos
John_Fleming
Advisor

yeah that's a bit strange (to say which do log action). It would make more sense to say of the ones that do send syslog which "don't" indicate what the action was. I mean I can't see why the action would be more or less valuable then the source / destination if the concern was somehow information leakage. As it stands I see no way to get logs off a local manged SMB that are of any use.

Its like I need to pay a management server tax to have external logs. I mean the webui is basically useless for any in depth research since the query language only supports a single element. (src, dst, product etc).

0 Kudos
HristoGrigorov

I do not remember quite well but I think in R77.20 GE there is action field in syslog records. 

0 Kudos
John_Fleming
Advisor

You are %100 correct. Just tested R77.30 open server.

Syslog logs accept and drop messages.

R80.20 open server. Not it doesn't, yes we know, we're not fixing it, go get RFEed.

0 Kudos
Max_Baumgarten
Contributor

Obviously, you don't need that syslog information to protect against GEN 6 attacks....

0 Kudos
HristoGrigorov

There must be a technical explanation as to why it was dropped. May be because of the layered policy... I hope R&D is monitoring this thread and will provide some details about this.

0 Kudos
Pedro_Espindola
Advisor

My 14XX with R77.20.87 are working fine.

Are you using 15XX appliances? Must be an issue with the new R80.20 generation.

 

0 Kudos
Max_Baumgarten
Contributor

We've confirmed it does not work in r80.xx, but used to work in r77.  For some unknown reason, this was removed and apparently there are no plans to ever add it back.

0 Kudos
John_Fleming
Advisor

Correct, it think the core issue is R80.20. I would down grade to R77.20 if that was an option at this point. I'm reaching out to some folks deeper in the org. If this can't be fixed I'm replacing these SMB devices with a different vendor.

0 Kudos
HristoGrigorov

Go for PaloAlto Networks. These guys have some impressive syslogging:

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslo...

0 Kudos
John_Fleming
Advisor

yes they do. That is a lot of data though. I wonder if they're using tcp syslog to avoid fragmenting the messages.

0 Kudos
Barel_Tkach
Employee
Employee

Thank for raising this issue.

From a quick internal investigation it seems this limitation was inherited from R80.20 enterprise version syslog feature.

We are learning it in order to provide a solution.

 

John_Fleming
Advisor

That is awesome and thank you so much for the update. Should my SR be re-opened?

0 Kudos
Barel_Tkach
Employee
Employee

Yes.

0 Kudos
PhoneBoy
Admin
Admin
You talking about the kernel-level syslog feature or something else?
0 Kudos
John_Fleming
Advisor

I assume you mean fwsyslog_enable? If so no, i'm not using that. 

I'm talking about..

logs & monitoring -> External Log Servers -> Add a syslog server. This is local mgmt so no SMS/MDS.

0 Kudos
PhoneBoy
Admin
Admin

The question was to @Barel_Tkach, not you. 😬
I figured it was enabled in the UI somehow.

0 Kudos
Barel_Tkach
Employee
Employee

There's no issue with OS related syslog,

Missing action is only part of security logs.

0 Kudos
John_Fleming
Advisor

It only took a public shaming but it looks like this has been resolved.

fw1_vx_dep_R80_992000913_20.img (basically build 913)

contains the fix.

 

Thanks to everyone involved in getting this addressed!

 

Max_Baumgarten
Contributor

WooHoo!

0 Kudos
PhoneBoy
Admin
Admin
I prefer to think of it as "bringing the truth to light" and addressing it.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events