Introduction

SmartLog reads and indexes logs generated by Check Point and OPSEC products. You can use this data to:

Detect and monitor security-related events. For example: alerts, rejected connections, and failed authentication attempts can indicate intrusion attempts.
Collect data on problematic issues. For example: a client is authorized to create a connection, but cannot connect. SmartLog shows that the Rule Base incorrectly blocks the client connection attempts.
Analyze network traffic patterns. For example: find out how many HTTP services were used during peak activity.

What sets SmartLog apart from other log utilities is its power, ease of use, and speed. The SmartLog Index Server gets log files from many log servers and indexes them for rapid data extraction. SmartLog includes a powerful query language that lets you create your own queries in minutes.

SmartLog is part of the R76 SmartConsole installation.

Activating the SmartLog Index Server

The SmartLog Index Server contains a central index to log entries and all SmartLog enabled management and log servers.

You must enable SmartLog for all Security Management Servers and log servers that are to be used with SmartLog.

To enable SmartLog Index Server:

In SmartDashboard, open the applicable Security Management Server or log server.
Select Logs.
Select the Enable SmartLog option.
Select the Menu icon > Policy > Install Database.

Activating SmartLog on Multi-Domain Security Management

SmartLog in a Multi-Domain Security Management environment works on the Multi-Domain Server. This server is used to query results from the Domain Management Servers and Multi-Domain Log Servers.

SmartLog on the Multi-Domain Server is active by default. Each Domain Management Server and Multi-Domain Log Server can be activated separately.

To activate SmartLog on the Multi-Domain Security Management:

Open the SmartDomain Manager > General Multi-Domain Server Contents.
Right-click the Domain Management Server and select Launch Application > SmartDashboard.
In the properties of the Domain Management Server object > Logs, select Enable SmartLog.
Do this also for the Multi-Domain Log Servers objects.
Click OK and then Save.
In the SmartDomain Manager > General Multi-Domain Server Contents, double-click the Multi-Domain Server object.
Select Enable SmartLog.
Click OK.
Start the SmartLog console.

SmartLog can be used to access the Domain Management Servers or Multi-Domain Log Servers directly, or through the Multi-Domain Server.

When you connect through the Multi-Domain Server, on the left pane, SmartLog shows the Domain Management Servers and Multi-Domain Log Servers that you can select as query targets. The results are a collection of logs from the selected Domain Management Servers and Multi-Domain Log Servers (that match the query).

SmartLog User Interface

Item	Description
1	Favorites - Shows list of predefined queries. Select a query in this list to run it.
2	Back/Forward - Scroll backward and forward between recent queries.
3	Log pane toolbar - Lets you select the grid or table view for the Log pane. You can also show IP addresses and ports as numbers or their resolved names.
4	Query Definition field - Shows the query definition for the most recent query. You also define custom queries in this field using the GUI tools or manually entering query criteria.
5	Top Results pane - Shows the top results of the most recent query.
6	Results pane - Shows the log entries for the most recent query.
7	Log Details pane - Shows the detailed contents of the most recently selected log record.
8	Query Results Timeline - Shows a chart of the current query results over time.

Toolbar:

	Launch Menu - Opens the menu.
	Grid view - Detailed tabular view. You can select the fields to show and change the order and width of the columns.
	Table view - Summary view that shows basic information. This view is suitable for small windows, but cannot be customized.
	Resolve - Resolves IP addresses and services to their names, if possible.
	SmartConsole - Open SmartConsoles.

Working with More than One Log Server

You can include log records from more than one log server in your SmartLog queries. The only restriction is that the log servers must all be managed by the same Security Management Server or Multi-Domain Server. When enabled, SmartLog automatically indexes logs on all applicable log servers. The Top Results pane is not available when working with more than one log server.

To see logs from more than one log server:

Select View > Log servers connection.
In the Log Servers Connection window, select Multiple Log Servers.
Click OK.
On the Log Servers pane, select the log servers to include in your queries. By default, all servers are selected.

If you have many log servers with large log files, it may take a long time to index the servers. Please be patient. The Top Results pane does not show.

To see logs from only the connected log server:

Select View > Log servers connection.
In the Log Servers Connection window, select Single Log Server.
Click OK.

The Top Results pane shows in the user interface.

Minimum Disk Space

SmartLog creates and uses index files for fast access to log file contents. The index files are located by default at $SMARTLOGDIR/data.

To make sure that there is always sufficient disk space on the server, SmartLog deletes the oldest index entries when the available disk space is less than a specified minimum. The default minimum value is 10,240 MB.

To change the minimum available disk space value:

On the SmartLog index server command line, go to $SMARTLOGDIR.
Open smartlog_settings.txt in a text editor.
Add this line to the section:
:min_disk_space (space), where space = the minimum available disk space in MB.

The default value is 10240 MB, which is in effect when there is no :min_disk_space line in the smartlog_settings.txt file. A smaller number will let the index file contain more entries before it automatically deletes the oldest records.

Top of Page

Download Complete PDF