Logging in Multi-Domain Security Management
Logging Domain Activity
Logs are generated for different events occur and stored for future reference. Multi-Domain Security Management logs are generated by Domain Security Gateways, Domain Management Servers and the Multi-Domain Server. The Security Policy installed on each Security Gateway controls which events generate log entries. Instructions for log configuration are in the R77 Security Management Administration Guide.
Although you can save logs locally on Security Gateways, we recommend that large organizations use dedicated servers. In this scenario, the Security Gateway sends logs to a log server that collects and stores them. In Multi-Domain Security Management deployments the Domain Management Server operates as the default log server.
We also recommend that you deploy dedicated Log servers in these circumstances:
- If your deployment has heavy logging traffic.
- If the Multi-Domain Server or the Domain Management Server has heavy network traffic.
By default, each domain has its own log server, called a Domain Log Server. You can host a Domain Log Server on any Multi-Domain Server machine, as long as that Multi-Domain Server does not contain another Domain Management Server or Domain Log Server belonging to the same Domain.
You can also define a log server that saves log files for multiple Domains. This is known as a Multi-Domain Log Server. You can define one or more Multi-Domain Servers as dedicated Multi-Domain Log Server that do not host any Domain Management Servers. This is a cost-effective solution for deployments with heavy log traffic.
Logging can be deployed for a single Domain by:
- Enabling local logging on the Domain Security Gateway.
- Logging data to the Domain Management Server (the default setting).
- Logging to a Log server set up on a dedicated machine for the Domain.
- Logging to a Domain Log Server.
It is possible to have a combined logging setup, with the following two components:
- Log Servers extracting information from the Multi-Domain Security Management environment,
- A Log server in the Domain network receiving records.
In this case, logs are then maintained both in the Multi-Domain Security Management environment and in the Domain network environment.
The table below shows the similarities and differences between Domain Management Servers and Log Servers:
|
|
|
|
|
|
Domain Management Server
|
Multi-Domain Log Server or Domain Log Server
|
Multi-Domain Log Server
|
Function
|
Manages the Security Policy, the User and Object Database for the Domain Check Point and OPSEC gateways
|
Collects logs from selected Security Gateways
|
Container for one or more Log Servers
|
Installed on...
|
Multi-Domain Server
|
Multi-Domain Log Server
|
A dedicated machine
|
Location
|
Multi-Domain Security Management
|
Multi-Domain Security Management
|
Network Operation Center
|
Max. No. per Domain
|
Unlimited
|
Unlimited
|
Unlimited
|
Launches Application
|
SmartDashboard
SmartUpdate
SmartView Tracker
SmartView Monitor
SmartProvisioning
|
SmartDashboard (Read Only)
SmartView Tracker
SmartView Monitor
|
SmartDashboard (Read Only)
SmartView Tracker
SmartView Monitor
|
|
Note - Multi-Domain Security Management supports SmartReporter Reports. A SmartReporter server is installed on a different machine and then configured in the Multi-Domain Security Management environment.
|
Exporting Logs
There are several ways and formats in which a log file can be exported:
Format
|
Environment
|
Export to
|
Event
|
simple text file
|
Domain or Multi-Domain Security Management
|
file
|
any time
|
database
|
Domain or Multi-Domain Security Management
|
external Oracle database
|
manual one-time event
|
database
|
Multi-Domain Security Management
|
external Oracle database
|
daily event
|
Log Export to Text
Export logs to a text file at any given time using SmartView Tracker. For more information, see the R77 SmartView Tracker Administration Guide.
Manual Log Export to Oracle Database
Export logs manually to an external Oracle Database at any given time.
Automatic Log Export to Oracle Database
You can export Check Point and OPSEC logs to Oracle commercial relational databases. Configure the Multi-Domain Server to support log exports. Logs can automatically be exported once a day at a scheduled time.
Logs exports can only be done on log files that are not currently open and Active. The automatic log export will not take place in the following cases:
- The Multi-Domain Server, Domain Management Server or Domain Log Server is down at the scheduled log export time.
- The latest log file has not been closed and all previous logs were already exported.
Log Files
For each Domain Log Server, an Active log file, the fw.log file, is created. Logged data is stored to this file for a scheduled period or until it reaches a certain size limit, after which the fw.log file is saved with a new extension, say fw.log.109 , and a new file is opened (this process is also known as log "switching"). Once a log file is closed, it is possible to export the file, automatically or manually.
Export Profiles
Automatic log exports are performed according to a Log Export Profile. This profile defines log export parameters, such as the schedule and the log fields to be exported. Each Domain Management Server and Domain Log Server can be assigned a Log Export Profile. The same log profile can be applied to a number of Domain Management Servers and Log Servers that share the same logging needs.
Logs exports are performed on log files that are not currently open. The file must be inactive and not yet exported.
Choosing Fields to Export
As part of the Log Export Profile, a Multi-Domain Security Management Superuser designates a list of log fields to export. You can set Default fields to automatically be included in each new Log Export Profile, or modify the fields selection as needed. If you need to define a new profile that is similar to an existing Profile, you can duplicate an existing profile and modify its properties as needed.
Log Forwarding
You can use SmartView Tracker to forward a log file from one Multi-Domain Log Server to another computer. See the R77 SmartView Tracker Administration Guide.
Cross Domain Logging
By default, each Security Gateway managed by a Domain Management Server can send its logs either to the Domain Management Server (primary or secondary) or to a Log server (a physical machine or a Domain Log Server hosted on a Multi-Domain Log Server). When using Log servers or Log Servers, the Security Gateways can send logs only to Log servers defined in the same management Domain (i.e., belonging to the same Domain).
If required, a manual workaround can allow cross-Domain (cross-Domain) logging. The workaround is recommended in very limited cases, as it has scalability restrictions, and its setup requires manual intervention in the SIC (Secure Internal Communications) authentication process.
The procedure for setting this up is detailed in SecureKnowledge, see sk12882.
Logging Configuration
This section outlines configuration issues of Multi-Domain Security Management logging.
Setting Up Logging
To create a Multi-Domain Log Server:
- Use the same procedure as for creating a SmartDomain Manager.
- Using the SmartDomain Manager, create one or more Log Servers per Domain. Each must be on a different Multi-Domain Server.
Remember to allow communication between the Multi-Domain Security Management network and the Domain Security Gateways. Add appropriate rules permitting the Log Servers to communicate from the Multi-Domain Security Management network with the Domain gateways, and install the Policy on the applicable gateways.
- Set up each applicable Security Gateway to the send its logs to the new Domain Log Server.
- Synchronize the new Domain Log Server database with the Domain Management Server database: .
This must be done so that logs are properly processed.
- Configure the Multi-Domain Server for log export.
- If you want to enable automatic log exporting, create a Log Export Profile and assign it to the Log Servers and Domain Management Servers.
If you experience difficulty, see Log Export Troubleshooting.
Working with Log Servers
Defining a Domain Log Server Using the SmartDomain Manager
You can use the SmartDomain Manager or the Multi-Domain Server CLI to define Log Servers. Note the following:
- A Domain must have at least one defined Domain Management Server before you can create a Domain Log Server.
- You must define additional Log Servers for the same Domain on a different Multi-Domain Server.
- You cannot install a Domain Log Server and a Domain Management Server on the same Multi-Domain Server.
To add a new Domain Log Server:
- In the SmartDomain Manager view, right-click a Domain and select .
- In the field, select a Multi-Domain Log Server.
- Enter an IPv4 and IPv6 address or click to assign address from a predefined pool of available addresses. IPv6 addresses are optional.
- Clickand select one of these options:
Add License Information Manually
- Click .
- In the email message that you received from Check Point, select the entire license string (starting with
cplic putlic... and ending with the last SKU/Feature) and copy it to the clipboard. - In the Add License window, click to paste the license details you have saved on the clipboard into the Add License window.
- Click to display your Validation Code. Compare this value with the validation code that you received in your email. If validation fails, contact the Check Point licensing center, providing them with both the validation code contained in the email and the one displayed in this window.
Import a License File
- Click .
- In the Open window, browse to and double-click the desired license file.
Get from the License Repository
- Click .
This option is only available if you have valid, unattached licenses in the repository. - In the select, click a Domain Management Server license.
The license automatically attaches to the Domain Management Server and the window closes.
Defining a Domain Log Server Using the CLI
Description
Use the addlogserver command to add a Domain Log Server to an existing Domain. To add a Domain Log Server to a Domain, you must define at least one Domain Management Server.
Syntax
mdscmd addlogserver <DomainName> [-n Name | -i IPv4 | -a IPv6] [-t target <ServerName>] [-m <ServerName> -u user -p password]
Argument
|
Description
|
DomainName
|
Domain to which this Domain Log Server is assigned. The name cannot include spaces or special characters (except for the underscore character).
|
-n Name
|
Domain Management Server name. If you do not use the -n argument, the system automatically generates a Domain Management Server name with this format: Domain_Management_Server_<sequence number>.
|
-i IPv4
|
Domain Management Server IPv4 address.
If you do not use the -i argument, the system automatically assigns an address from a predefined pool of available addresses.
|
-a IPv6
|
Domain Management Server IPv6 address.
If you do not use the -a argument, the system automatically assigns an address from a predefined pool of available addresses.
|
-t target ServerName
|
Optional: Name of the Multi-Domain Server that the Domain Management Server is assigned to. This argument is necessary only if you assign the Domain Management Server to a remote Multi-Domain Server.
|
-m ServerName
|
Remote Multi-Domain Server host name or IPv4 address. You must use this argument when you work with a Domain Management Server on a remote Multi-Domain Server.
The remote Multi-Domain Server must be defined as a GUI client.
|
-u user and -p password
|
Credentials of the Superuser for the remote Multi-Domain Server. These arguments are necessary to log in to the remote Multi-Domain Server. Make sure that you do not show the password during remote login.
|
You must use at least one these arguments to identify the Domain Management Server:
-n DomainName
-i IPv4
-a IPv6
When you create a new object, you can use one or more of these arguments to manually define the name or IP address.
You must configure ranges of IPv4 and IPv6 addresses on your Multi-Domain Server for automatic address assignment to work. If no ranges are defined or there are no available IP addresses available, the command will fail.
The -t , -m and -u arguments are necessary only when you assign a Domain Management Server to a different, remote Multi-Domain Server (not the one on which you run the mdscmd command).
|
Note - The old version of this command (mdscmd addclm ) is still supported.
|
Starting or Stopping a Domain Log Server
To start or stop a Domain Log Server from the SmartDomain Manager General View:
- Select the Domain Log Server.
- Do one of the following:
- Choose Manage > Start Domain Management/Start Domain Log Server or Stop Domain Management/Stop Domain Log Server as appropriate, or
- Select Start or Stop from the toolbar.
The run status of the Domain Log Server will change accordingly, and the change will be reflected in the Status column.
An alternative way to start or stop a Domain Log Server is from the Multi-Domain Server command line, by using the mdsstart_customer and mdsstop_customer commands.
Deleting a Domain Log Server
To delete a Domain Log Server using the SmartDomain Manager:
- Right-click the Domain Log Server and select .
- Select .
Description
Use this command to delete an existing Domain Log Server.
Syntax
mdscmd deletelogserver <DomainName> <-n Name | -i IPv4 | -a IPv6 > -m <ServerName> -u user name -p password
Argument
|
Description
|
DomainName
|
Name of the Domain to which the Domain Management Server is assigned. The name cannot include spaces or special characters (except for the underscore character).
|
-n Name
|
Domain Management Server name.
|
-i IPv4
|
Domain Management Server IPv4 address.
If you do not use the -i argument, the system automatically assigns an address from a predefined pool of available addresses.
|
-a IPv6
|
Domain Management Server IPv6 address.
If you do not use the -a argument, the system automatically assigns an address from a predefined pool of available addresses.
|
-m ServerName
|
Remote Multi-Domain Server host name or IPv4 address. You must use this argument when you work with a Domain Management Server on a remote Multi-Domain Server.
The remote Multi-Domain Server must be defined as a GUI client.
|
-u user and -p password
|
Credentials of the Superuser for the remote Multi-Domain Server. These arguments are necessary to log in to the remote Multi-Domain Server. Make sure that you do not show the password during remote login.
|
You must use at least one these arguments to identify the Domain Management Server:
-n DomainName
-i IPv4
-a IPv6
When you create a new object, you can use one or more of these arguments to manually define the name or IP address.
You must configure ranges of IPv4 and IPv6 addresses on your Multi-Domain Server for automatic address assignment to work. If no ranges are defined or there are no available IP addresses available, the command will fail.
The -t , -m and -u arguments are necessary only when you assign a Domain Management Server to a different, remote Multi-Domain Server (not the one on which you run the mdscmd command).
|
Note - The old version of this command (mdscmd deleteclm ) is still supported.
|
Setting up Domain Security Gateway to Send Logs to the Domain Log Server
Logs are not automatically forwarded to new a Domain Log Server. You must manually setup each relevant Security Gateway to send its logs to the new Domain Log Server.
To set up Domain gateways to send logs to the Domain Log Server:
- Launch SmartDashboard for the Domain Management Server and double-click the Security Gateway object to display its Check Point Gateway window.
- Display the Additional Logging page (under Logs and Masters) and check Forward log files to Security Management Server. The Security Management Servers drop-down list is enabled.
- Select the new Domain Log Server from the Security Management Server drop-down list and click OK.
Synchronizing Domain Log Server and Domain Management Server
To process logs properly, the Domain Log Server database should be synchronized with the Domain Management Server database.
To process logs to synchronize the Domain Log Server Database with the Domain Management Server Database:
- In SmartDashboard, select Policy > Install Database. The Install Database window is displayed.
- Under Install Database on, check the Domain Log Server you have created and click OK. The Install Users Database status window is displayed. From this window you can follow the progress of the installation.
Configuring a Multi-Domain Server to Enable Log Export
To configure a Multi-Domain Server to Enable Log Export:
- Stop the Multi-Domain Server processes.
- Install and configure the Oracle Client.
- Define the environment variable
ORACLE_HOME according to the installation. - Add
$ORACLE_HOME/lib to the $LD_LIBRARY_PATH . - Add
$ORACLE_HOME/bin to the $PATH . - Restart the Multi-Domain Server processes.
Configuring Log Export Profiles
The first time you perform a Log Export, a log field table is created in the external database. The table is structured according to the log fields settings defined in the Log Export Profile. The table's naming convention is <Domain Management Server Name>_<Domain Name>_CPLogs . For example, for DMS1 of Domain1, the table will be named DMS1_Domain1_CPLogs .
To configure Log Export profiles:
- Select Manage > Log Export > Profiles... from the menu.
- To view the Domain Management Servers and Log Servers assigned a selected profile, click Show Assigned. To remove a specific Domain Management Server or Domain Log Server, click Remove.
- In the General tab, specify basic export parameters, such as the Oracle server receiving the logs, the name and password of the administrator managing that Oracle server, the schedule etc.
- In the Log Fields tab, select the fields to be exported. Some fields are checked by default. Change these settings as needed.
If you modify this list (for example, changing a field's length), once the data is exported, the list details will become incompatible with the target table and future Log Exports will fail. To avoid this, rename the current table.
Next time you perform a Log Export, the process will create a new table using the original table's name.
- In the Assign tab, specify which Domain Management Servers and Log Servers are assigned this profile.
- To find the profile assigned to a specific Domain Management Server or Domain Log Server, click Find in the Log Export Profiles window. The window will either display the Log Export Profile's name, or indicate that no profile has been assigned.
Choosing Log Export Fields
Use the Log Export Fields window to determine which log fields are exported. You can add, edit and delete fields as needed. Default fields can be selected in this window, to be automatically included in each new Log Export Profile.
Be aware that changing or removing log export fields affects all profiles using these fields.
To choose Log Export fields:
- Select Manage > Log Export > Fields... from the menu.
- Use the Add, Edit and Delete buttons to create a list of fields according to the logging data you want to export.
The Name of the field is as it appears in the Log File. The Exported Name is the name you give to the field you want to appear in the exported Oracle table. The Exported Name should follow Oracle naming restrictions.
Enter a Type, and Length. Check Export by default to have a field selected by default for all new Log Export Profiles.
- These select fields to automatically include in each new Log Export Profile, check Export by default in the Add Log Export Field window (or double-click an existing field). You can later modify this selection as needed.
Log Export Troubleshooting
Log Export troubleshooting suggestions are shown below:
Error Message
|
What to do
|
No connection with Domain Management Server.
|
Verify the following:
- The Domain Management Server is running properly.
- The Domain Management Server has a valid license.
|
Configuration file not found.
|
Update the Log Export Profile using the SmartDomain Manager.
|
No data to export.
|
Run two commands:
mdsenv <domain_management_server_name>
fw lslogs -e.
|
Failed to load dll .
|
The external database's client is not configured properly.
Proceed as follows:
- Stop the Multi-Domain Server.
- Prepare the system for Log Export.
- Start the Multi-Domain Server.
|
Failed to connect to the external database.
|
Verify the following:
- The external database is accessible and running properly.
- The external database's client is configured correctly.
- The administrator name and password specified in the Log Export Profile can indeed be used to login to the database.
- The Oracle Client and the SmartDomain Manager use the same Oracle server name.
|
Failed to create table in database.
|
Verify the following:
- The administrator has been assigned the appropriate permissions.
- The exported log field names conform to the external database's naming conventions.
|
Failed to read Check Point logs.
|
Verify the following:
- The Domain Management Server is running properly.
- The Domain Management Server has a valid license.
|
Failed to write to external database.
|
Verify that the external database's table structure (e.g. the log field names and the columns' width) conforms to its definition in the Log Fields tab of the Log Export Profile window.
If the two are incompatible, rename the table.
|
Using SmartReporter
SmartReporter can now produce both Log Based reports and Express reports for Security Gateways managed by Domain Management Servers. Use SmartReporter to create selected reports for specified Domains and Security Gateways. Reports can be scheduled at any time, and can be sent by email or uploaded to an FTP site. SmartReporter must be properly configured to work with Multi-Domain Security Management. See the "Getting Started" chapter of the R77 SmartReporter Administration Guide.
|