Logs

This section describes the different log files created by Quantum IoT Nano Agent on the IoT device.

Nano Agent Log File

The Nano Agent Log file is the main log file created by the Nano Agent. It is in JSON format and allows you to parse each entry and use the data as needed (for example, to export).

File path:

/var/log/nano_agent/cp-nano-orchestration.log

{

“eventTime”: “2022-03-09T16:11:36.843”,

“eventName”: “Check Point Nano-service started”,

“eventSeverity”: “Info”,

“eventPriority”: “Medium”,

“eventType”: “Event Driven”,

“eventLevel”: “Log”,

“eventLogLevel”: “info”,

“eventAudience”: “Security”,

“eventAudienceTeam”: ““,

“eventFrequency”: 0,

“eventTags”: [

“Informational”

],

“eventSource”: {

“agentId”: “Unknown”,

“eventTraceId”: ““,

“eventSpanId”: ““,

“issuingEngineVersion”: “1ed81be”,

“serviceName”: “Workload Protection”

},

“eventData”: {

“logIndex”: 1,

“serviceName”: “Workload Protection”

}

}

{

“eventTime”: “2022-03-09T16:34:39.001”,

“eventName”: “Workload Protection Zero-Day Protection :: Shell Injection :: /tmp/wlp/etc/cp/workloadProtection/samples/antisi.sample :: Command: ping -c 1 8.8.8.8;echo”,

“eventSeverity”: “Critical”,

“eventPriority”: “High”,

“eventType”: “Event Driven”,

“eventLevel”: “Log”,

“eventLogLevel”: “info”,

“eventAudience”: “Security”,

“eventAudienceTeam”: ““,

“eventFrequency”: 0,

“eventTags”: [

“Threat Prevention”

],

“eventSource”: {

“agentId”: “0ed80a90-c574-48c5-948e-658c2f4b0e8d”,

“eventTraceId”: ““,

“eventSpanId”: ““,

“issuingEngineVersion”: “1ed81be”,

“serviceName”: “Workload Protection”

},

“eventData”: {

“logIndex”: 2

}

}

For more information on description of the event fields in the log file, see Event Log Structure.

Internal Workload Protection Log File

The Internal Workload Protection log file contains all log outputs from the Workload Protection Library.

File path:

/var/log/wlp_log.txt

Log format:

[<HH:MM:SS> <PID> <TID>] Log Message

Crash Files

If the Workload Protection is enabled and a software fault occurs, then the Nano Agent creates crash files in the format wlp-crash.crashed.(*).

File path:

/var/log/wlp-crash.crashed.*

Note - If the Nano Agent creates three crash files within a seven-day time period, it disables Workload Protection on the device. To analyze the reasons for the crash, share the crash file with your Check Point representative.

To restore Workload Protection:

  1. Connect to the command line on the IoT device.

  2. To prevent boot loops, disable the Workload Protection completely (if it is currently enabled) in the wlp.conf configuration file.

  3. Copy all crash files to external storage, send to Check Point, and then remove them from the device.

  4. Reboot the IoT device.

  5. Connect to the command line on the IoT device.

  6. Enable the Workload Protection in the wlp.conf configuration file.

Event Log Structure

The table below describes the different event fields in the Nano Agent cp-nano-orchestration.log file:

Name

Field Type

Value Options *

Description

eventTime

String

  

Time of event in the format:

YYYY-MM-DDTHH:mm:ssS

eventName

String

  

Description of the event.

eventSeverity

String

  • Info

  • Low

  • Medium

  • High

  • Critical

Severity of the event

eventPriority

String

  • Low

  • Medium

  • High

  • Urgent

Priority of the event.

eventType

String

    

eventLevel

String

  • Log

  • Incident

  • Insight

  • Action

  • Custom

Action type of the event.

eventAudience

String

  • Security

  • Internal

Audience of the event:

  • Security - For customers

  • Internal - For Check Point internal use

eventAudienceTeam

String

  

This field is for internal use only (when eventAudience is Internal)

eventFrequency

    

Frequency of the event.

eventTags

List

  • Informational

  • Orchestration

List of tags associated with the event.

eventSource

Dictionary

  

Source of the event.

eventData

Dictionary

  

Describes the event’s data (see eventData)

eventNotification

String

  

This field is used when the event’s purpose is to notify a status.

agentType

String

  • Orchestration

  • Embedded

  • reverse-proxy

  • test_type

Type of the Nano Agent.

agentVerison

String

  

Version of the Nano Agent.

policyVersion

String

  

Version of the policy.

previousPolicyVersion

String

  

Version of the previous policy.

fromVersion

String

  

*The list is not exhaustive. There are other internal values omitted from the table.

eventSource

Name

Field Type

Value Options

agentId

String

  

sourceProcess

String

  

ruleId

String

  

ruleName

String

  

assetName

String

  

attachmentName

String

IoT Workload Protection

praticeType

String

  

practiceName

String

  

eventTraceId

String

  

eventSpanId

String

  

issuingEngineVersion

String

  

serviceName

String

  • Workload Protection

  • Orchestration

eventData

Name

Field Type

Value Options

logindex

int

  

practiceType

String

  

ruleName

String

  

matchedCategory

String

  

serviceName

String

  • Workload Protection

  • Orchestration

logIndex

Int

  

securityAction

String

  

key

   

Incident Log Overview

Incident Type

Event ID

eventCode

Event Name

Level

Audience

Severity

Priority

Tags

Description

Control Flow Integrity Violation Blocked

E_LOG_CFI

015-0000

IoT Embedded:
Control Flow Integrity Violation Blocked :: Access Violation :: <PROCESS NAME> :: Address <VIOLATION ADDRESS>

Log

Security

Critical

High

THREAT_PREVENTION

CFI protection event

Command Injection Blocked

E_LOG_ANTISI

015-0001

IoT Embedded:
Command Injection Blocked :: Shell Injection :: <PROCESS NAME> :: Command: <VIOLATION COMMAND>

Log

Security

Critical

High

THREAT_PREVENTION

Anti-Spoofing and Integrity (AntiSI) protection event

Invalid File Operation Blocked

E_LOG_FILEMON

015-0002

IoT Embedded:

Invalid File Operation Blocked :: File Monitor :: <PROCESS NAME> :: Prevented write on: <FILE NAME>

Log

Security

Critical

High

THREAT_PREVENTION

File Monitor protection event

Invalid Process Execution Blocked

E_LOG_PROCMON

015-0003

IoT Embedded:

Invalid Process Execution Blocked :: Process name: <PROCESS NAME> Hash: <EXECUTABLE HASH> uid: <PROCESS UID> euid: <PROCESS EUID>

Log

Security

Critical

High

THREAT_PREVENTION

Process Monitor protection event (currently unused)

Cyber Protection Disabled

E_LOG_KILLSWITCH_ENB

015-0004

IoT Embedded: Cyber Protection Disabled

Log

Security

Critical

High

ORCHESTRATOR

Killswitch status message

Check Point IoT Protection: Cyber Protection Disabled, contact your administrator to activate it and to protect your device

E_LOG_KILLSWITCH_ENB

015-0004

Check Point IoT Protection: Cyber Protection Disabled, contact your administrator to activate it and to protect your device

Log

Security

Info

High

ORCHESTRATOR

Killswitch status message

Cyber Protection Enabled

E_LOG_KILLSWITCH_DSB

015-0005

IoT Embedded: Cyber Protection Enabled

Log

Security

Info

High

ORCHESTRATOR

Killswitch status message
Notification

E_LOG_MSG

015-0006

IoT Embedded: Notification

Log

Security

Info

High

ORCHESTRATOR

Generic log message

Control Flow Integrity Initialization Completed on Process <PROCESS NAME>

E_LOG_INIT_DONE

015-0007

IoT Embedded:

Control Flow Integrity Initialization Completed : Hardening [<PID>:<PROCESS NAME>] finished.

Log

Security

Info

Medium

ORCHESTRATOR

WLP init done on process

SSH Login Protection: Too Many Login Failures, Access Denied

E_SSHD_RATELIMIT

015-0008

IoT Embedded:

SSH Login Protection: Too Many Login Failures, Access Denied : Rate Limit reached (<NUMBER> login attempts in <NUMBER> seconds)

Log

Security

Critical

High

LOGIN_PROTECTION

SSH / Telnet protection rate-limit event

SSH Login Protection: Weak Password Detected

E_SSHD_WEAK_PWD

015-0009

IoT Embedded:

SSH Login Protection: Weak Password Detected

Log

Security

Critical

High

LOGIN_PROTECTION

SSH / Telnet protection weak password event

Web Login Protection: Too Many Login Failures, Access Denied

E_ANTIBF_RATELIMIT

015-0010

IoT Embedded:

Web Login Protection: Too Many Login Failures, Access Denied 

Log

Security

Critical

High

LOGIN_PROTECTION

Web interface login protection rate-limit event

Web Login Protection: Weak Password Detected

E_ANTIBF_WEAK_PWD

015-0011

Login Protection:

The password doesn't match the password complexity policy, change it now.

Log

Security

Critical

High

LOGIN_PROTECTION

Web interface login protection weak password event

IoT Embedded Protection Detected an Invalid Behavior. EXITING

E_LOG_CRASHED

015-0012

IoT Embedded Protection Detected an Invalid Behavior. EXITING

Log

Security

Info

High

ORCHESTRATOR

Process got SEGFAULT and crashed

IoT Embedded Protection is Inactive due to a Failure, Contact Your Administrator

E_LOG_CRASH_CHECK

015-0013

IoT Embedded Protection is Inactive due to a Failure, Contact Your Administrator

Log

Security

Info

High

ORCHESTRATOR

WLP started and detected a previous crash

IoT Embedded: Protected Process: [ <PROCESS>:<PID>]

E_LOG_SYNC_PROTECTED

015-0014

IoT Embedded: Protected Process: [ <PROCESS>:<PID>]

Log

Security

Critical

High

THREAT_PREVENTION

Injector injected a process

IoT Embedded: Scanned and Protected the device

E_LOG_SYNC_PROTECTED_DAILY

015-0015

IoT Embedded: Scanned and Protected the device

Log

Security

Critical

High

THREAT_PREVENTION

 

Check Point IoT Protection: Authentication Password Setup Completed

E_PASSWORD_SETUP

015-0100

Check Point IoT Protection: Authentication Password Setup Completed

Log

Security

Info

High

ORCHESTRATOR

Authentication Password Setup Completed

Check Point IoT Protection: Authentication Password Changed

E_PASSWORD_RESET

015-0101

Check Point IoT Protection: Authentication Password Changed

Log

Security

Info

High

ORCHESTRATOR

Authentication Password Changed

Check Point IoT Protection: Setting killswitch

E_SET_KILLSWITCH

015-0200

Check Point IoT Protection: Setting killswitch

Log

Security

Info

High

ORCHESTRATOR

Conf server received a request to set killswitch

Check Point IoT Protection: Setting allowlists

E_SET_WHITELIST

015-0201

Check Point IoT: Setting allowlists

Log

Security

Info

High

ORCHESTRATOR

Conf server received a request to set allowlists

Check Point IoT Protection: Setting blocklists

E_SET_BLACKLIST

015-0202

Check Point IoT Protection: Setting blocklists

Log

Security

Info

High

ORCHESTRATOR

Conf server received a request to set blocklists

Check Point IoT Protection: Setting wlp conf

E_SET_WLP_CONF

015-0203

Check Point IoT Protection: Setting wlp conf

Log

Security

Info

High

ORCHESTRATOR

Conf server received a request to set wlp.conf

Check Point IoT Protection: Setting agent recovery

E_SET_AGENT_RECOVERY

015-0204

Check Point IoT Protection: Setting agent recovery

Log

Security

Info

High

ORCHESTRATOR

Conf server received a request to set recovery mode

Check Point IoT Protection: Your system is secured by Nano agent and workload protection is operating normally.

E_EVERYTHING_OPERATING_NORMALLY

015-0300

Check Point IoT Protection: Your system is secured by Nano agent and workload protection is operating normally.

Log

Security

Info

High

ORCHESTRATOR

Everything is operating normally

Check Point IoT Protection: Nano agent encountered a failure in your system. Contact your administrator.

E_FAILURE_IN_NANO_AGENT

015-0301

Check Point IoT Protection: Nano agent encountered a failure in your system. Contact your administrator.

Log

Security

Info

High

ORCHESTRATOR

Some processes that should be protected are not