Logging

In This Section:

Log Analysis

SmartConsole lets you transform log data into security intelligence. Search results are fast and immediately show the log records you need. The Security Gateways send logs to the Log Servers on the Security Management Server or on a dedicated server. Logs show on the SmartConsole Logs & Monitor Logs tab. You can:

Quickly search through logs with simple Google-like searches.
Select from many predefined search queries to find the applicable logs.
Create your own queries using a powerful query language.
Monitor logs from administrator activity and connections in real-time.

Sample Log Analysis

This is a sample procedure that shows how to do an analysis of a log of a dropped connection.

To show a log of a dropped connection:

Log into SmartConsole.
Connect to the IP address of the Security Management Server, not to a Log Server.
In the Security Policies > Access Control > Policy view, select a rule with the Drop action.
In the bottom pane, click Logs.
This shows the logs for connections that were dropped by the Rule Base.
Double-click a log.
The Log Details window opens.

Using the Log View

This is an example of the Log view.

SmartConsole_logs_GUI

Item	Description
1	Queries - Predefined and favorite search queries.
2	Time Period - Search with predefined custom time periods.
3	Query search bar - Define custom queries in this field. You can use the GUI tools or manually enter query criteria. Shows the query definition for the most recent query.
4	Log statistics pane - Shows top results of the most recent query.
5	Results pane - Shows log entries for the most recent query.

Working with Logs

In This Section:

Choosing Rules to Track

Configuring Tracking in a policy Rule

Query Language Overview

Choosing Rules to Track

Logs are useful if they show the traffic patterns you are interested in. Make sure your Security Policy tracks all necessary rules. When you track multiple rules, the log file is large and requires more disk space and management operations.

To balance these requirements, track rules that can help you improve your cyber security, help you understand of user behavior, and are useful in reports.

Configuring Tracking in a policy Rule

To configure tracking in a rule:

Right-click in the Track column.
Select a tracking option.
Install the policy.

Tracking Options

Select these options in the Track column of a rule:

None - Do not generate a log.
Log - This is the default Track option. It shows all the information that the Security Gateway used to match the connection. At a minimum, this is the Source, Destination, Source Port, and Destination Port. If there is a match on a rule that specifies an application, a session log shows the application name (for example, Dropbox). If there is a match on a rule that specifies a Data Type, the session log shows information about the files, and the contents of the files.
Accounting - Select this to update the log at 10 minutes intervals, to show how much data has passed in the connection: Upload bytes, Download bytes, and browse time.

Note - When upgrading from R77.xx or from R80 versions to R80.10, there are changes to the names of the options in the Track column. To learn more see sk116580.

Advanced Track options

Detailed Log and Extended Log are only available if one or more of these Blades are enabled on the Layer: Applications & URL Filtering, Content Awareness, or Mobile Access.

Detailed Log - Equivalent to the Log option, but also shows the application that matched the connections, even if the rule does not specify an application. Best Practice - Use for a cleanup rule (Any/Internet/Accept) of an Applications and URL Filtering Policy Layer that was upgraded from an R77 Application Control Rule Base.
Extended Log - Equivalent to the Detailed option, but also shows a full list of URLs and files in the connection or the session. The URLs and files show in the lower pane of the Logs view.

Log Generation

per Connection - Select this to show a different log for each connection in the session. This is the default for rules in a Layer with only Firewall enabled. These are basic firewall logs.
per Session - Select this to generate one log for all the connections in the same session. This is the default for rules in a Layer with Applications and URL Filtering or Content Awareness enabled. These are basic Application Control logs.

Alert:

For each alert option, you can define a script in Menu > Global Properties > Log and Alert > Alerts.

None - Do not generate an alert.
Alert - Generate a log and run a command, such as: Show a popup window, send an email alert or an SNMP trap alert, or run a user-defined script as defined in the Global Properties.
SNMP - Send an SNMP alert to the SNMP GUI, or run the script defined in the Global Properties.
Mail - Send an email to the administrator, or run the mail alert script defined in the Global Properties.
User Defined Alert - Send one of three possible customized alerts. The alerts are defined by the scripts specified in the Global Properties.

Log Sessions

A session is a user's activity at a specified site or with a specified application. The session starts when a user connects to an application or to a site. The Security Gateway includes all the activity that the user does in the session in one session log.

To search for log sessions:

In the Logs tab of the Logs & Monitor view, search for type:Session

To see details of the log session:

In the Logs tab of the Logs & Monitor view, select a session log.

In the bottom pane of the Logs tab, click the tabs to see details of the session log:

Connections - Shows all the connections in the session. These show if Per connection is selected in the Track option of the rule.
URLs - Shows all the URLs in the session. These show if Extended Log is selected in the Track option of the rule.
Files - Shows all the files uploaded or downloaded in the session. These show if Extended Log is selected in the Track option of the rule, or if a Data Type was matched on the connection.

To see the session log for a connection that is part of a session:

In the Logs tab of the Logs & Monitor view, double-click on the log record of a connection that is part of a session.
In the Log Details, click the session icon (in the top-right corner) to see the session log.

To configure the session timeout:

By default, after a session continues for three hours, the Security Gateway starts a new session log. You can change this in SmartConsole from the Manage & Settings view, in Blades > Application & URL Filtering > Advanced Settings > General > Connection unification.

For sessions that are blocked by the Access Control Policy, the Security Gateway starts a new session log after 30 seconds. A blocked session log include all the connections that are blocked in this period.

Viewing Rule Logs

You can search for the logs that are generated by a specific rule, from the Security Policy or from the Logs & Monitor > Logs tab.

To see logs generated by a rule (from the Security Policy):

In SmartConsole, go to the Security Policies view.
In the Access Control Policy or Threat Prevention Policy, select a rule.
In the bottom pane, click one of these tabs to see:
- Summary - Rule name, rule action, rule creation information, and the hit count. Add custom information about the rule.
- Details (Access Control Policy only) - Details for each column. Select columns as necessary.
- Logs - By default, shows the logs for the Current Rule. You can filter them by Source, Destination, Blade, Action, Service, Port, Source Port, Rule (Current rule is the default), Origin, User, or Other Fields.
- History (Access Control Policy only) - List of rule operations in chronological order, with the information about the rule type and the administrator that made the change.

To see logs generated by a rule (by Searching the Logs):

In SmartConsole, go to the Security Policies view.
In the Access Control Policy or Threat Prevention Policy, select a rule.
Right-click the rule number and select Copy Rule UID.
In the Logs & Monitor > Logs tab, search for the logs in one of these ways:
- Paste the Rule UID into the query search bar and press Enter.
- For faster results, use this syntax in the query search bar:
  layer_uuid_rule_uuid:*_<UID>
  
  For example, paste this into the query search bar and press Enter:
  
  layer_uuid_rule_uuid:*_46f0ee3b-026d-45b0-b7f0-5d71f6d8eb10

Packet Capture

You can capture network traffic. The content of the packet capture provides a greater insight into the traffic which generated the log. With this feature activated, the Security Gateway sends a packet capture file with the log to the log server. You can open the file, or save it to a file location to retrieve the information a later time.

The packet capture option is activated by default.

To deactivate packet capture:

In SmartConsole, in the Security Policies view
In the Track column of the rule, right-click and clear Packet Capture.

To see a packet capture:

In SmartConsole, go to the Logs & Monitor view.
Open the log.
Click the link in the Packet Capture field.
The Packet Capture Viewer Output window opens.
Optional: Click Save to save the packet capture data as a text file.

Searching the Logs

SmartConsole lets you quickly and easily search the logs with many predefined log queries, and an easy to use language for custom queries.

Running Queries

To create and run a query:

In the query search bar, click Enter Search Query (Ctrl+F).
Enter or select query criteria.

To manually refresh your query:

Click Refresh (F5).

To continuously refresh your query (Auto-Refresh):

Click Auto-Refresh (F6). The icon is highlighted when Auto-Refresh is enabled.

The query continues to update every five seconds while Auto-Refresh is enabled. If the number of logs exceeds 100 in a five-second period, the logs are aggregated, and the summary view shows. To see all logs aggregated in a specific time interval, click View.

Showing Query Results

Query results can include tens of thousands of log records. To prevent performance degradation, SmartConsole only shows the first set of results in the Results pane. Typically, this is a set of 50 results.

Scroll down to show more results. As you scroll down, SmartConsole extracts more records from the log index on the Security Management Server or Log Server, and adds them to the results set. See the number of results above the Results pane.

For example, on the first run of a query, you can see the first 50 results out of over 150,000 results. When you scroll down, you can see the first 100 results out of over 150,000.

Customizing the Results Pane

By default, SmartConsole shows a predefined set of columns and information based on the selected blade in your query. This is known as the Column Profile. For example:

The DLP column profile includes columns for: Blade, Type, DLP Incident UID, and severity.
The Threat Prevention column profile includes columns for: Origin, Action, Severity, and Source User.

A column profile is assigned based on the blade that occurs most frequently in the query results. This is called Automatic Profile Selection, and is enabled by default.

The Column Profile defines which columns show in the Results Pane and in which sequence. You can change the Column Profile as necessary for your environment.

To use the default Column Profile assignments:

Right-click a column heading and select Columns Profile > Automatic Profile Selection.

To manually assign Column Profile assignments by default:

Right-click a column heading and select Columns Profile > Manual Profile Selection.

To manually assign a different Column Profile:

Right-click a column heading and select Columns Profile.
Select a Column Profile from the options menu.

To change a Column Profile:

Right-click a column heading and select Columns Profile > Edit Profile.
In the Show Fields window, select a Column Profile to change.
Select fields to add from the Available Fields column.
Click Add.
Select fields to remove from the Selected Fields column.
Click Remove.
Select a field in the Selected Fields.
Click Move Up or Move Down to change its position in the Results Pane.
Double-click the Width column to change the default column width for the selected field.
To change the column width, drag the right column border in the Results Pane.
To save the column width, right-click and select Save Profile.
The column is applicable to future sessions.

Creating Custom Queries

Queries can include one or more criteria. To create custom queries, use one or a combination of these basic procedures:

Right-click columns in the grid view and select Add Filter.
Click in the Query search bar and select the fields and filter criteria for those fields.
Manually enter filter criteria in the Query search bar.

To create a new custom query, run an existing query, and use one of these procedures to change it. You can save the new query in the Favorites list.

When you create complex queries, the log search tool suggests, or automatically enters, an appropriate Boolean operator. This can be an implied AND operator, which does not explicitly show.

Selecting Query Fields

You can enter query criteria directly from the Query search bar.

To select field criteria:

If you start a new query, click Clear to remove query definitions.
Put the cursor in the Query search bar.
Select a criterion from the drop-down list or enter the criteria in the Query search bar.

Selecting Criteria from Grid Columns

You can use the column headings in the Grid view to select query criteria. This option is not available in the Table view.

To select query criteria from grid columns:

In the Results pane, right-click on a column heading.
Select Add Filter.
Select or enter the filter criteria.
The criteria show in the Query search bar and the query runs automatically.

To enter more criteria, use this procedure or other procedures.

Manually Entering Query Criteria

You can enter query criteria directly in the Query search bar. You can manually create a new query or make changes to an existing query that shows in the Query search bar.

As you enter text, the Search shows recently used query criteria or full queries. To use these search suggestions, select them from the drop-down list. If you make a syntax error in a query, the Search shows an error message that identifies the error and suggests a solution.

Query Language Overview

A powerful query language lets you show only selected records from the log files, according to your criteria. To create complex queries, use Boolean operators, wildcards, fields, and ranges. This section refers in detail to the query language.

When you use SmartConsole to create a query, the applicable criteria show in the Query search bar.

The basic query syntax is [<Field>:] <Filter Criterion>.

To put together many criteria in one query, use Boolean operators:

[<Field>:] <Filter Criterion> AND|OR|NOT [<Field>:] <Filter Criterion> ...

Most query keywords and filter criteria are not case sensitive, but there are some exceptions. For example, source:<X> is case sensitive (Source:<X> does not match). If your query results do not show the expected results, change the case of your query criteria, or try upper and lower case.

When you use queries with more than one criteria value, an AND is implied automatically, so there is no need to add it. Enter OR or other boolean operators if needed.

Criteria Values

Criteria values are written as one or more text strings. You can enter one text string, such as a word, IP address, or URL, without delimiters. Phrases or text strings that contain more than one word must be surrounded by quotation marks.

One word string examples:

John
inbound
192.168.2.1
mahler.ts.example.com
dns_udp

Phrase examples

"John Doe"
"Log Out"
"VPN-1 Embedded Connector"

IP Addresses

IPv4 and IPv6 addresses used in log queries are counted as one word. Enter IPv4 address with dotted decimal notation and IPv6 addresses with colons. You can also use the '*' wildcard character with IP addresses.

Example:

192.0.2.1
2001:db8::f00:d

NOT Values

You can use NOT <field> values with field keywords in log queries to find logs for which the value of the field is not the value in the query.

Syntax

NOT <field>:<value>

Example

NOT src:10.0.4.10

Wildcards

You can use the standard wildcard characters (* and ?) in queries to match variable characters or strings in log records. You can use more than the wildcard character.

Wildcard syntax

The ? (question mark) matches one character.
The * (asterisk) matches a character string.

Examples:

Jo? shows Joe and Jon, but not Joseph.
Jo* shows Jon, Joseph, and John Paul.

If your criteria value contains more than one word, you can use the wildcard in each word. For example, 'Jo* N*' shows Joe North, John Natt, Joshua Named, and so on.

Using Wildcards with IP Addresses

The wildcard character is useful when used with IPv4 addresses. It is a best practice to put the wildcard character after an IP address delimiter.

Examples:

192.168.2.* shows all records for 192.168.2.0 to 192.168.2.255 inclusive
192.168.* shows all records for 192.168.0.0 to 192.168.255.255 inclusive

Field Keywords

You can use predefined field names as keywords in filter criteria. The query result only shows log records that match the criteria in the specified field. If you do not use field names, the query result shows records that match the criteria in all fields.

This table shows the predefined field keywords. Some fields also support keyword aliases that you can type as alternatives to the primary keyword.

Keyword	Keyword Alias	Description
`severity`		Severity of the event
`app_risk`		Potential risk from the application, of the event
`protection`		Name of the protection
`protection_type`		Type of protection
`confidence_level`		Level of confidence that an event is malicious
`action`		Action taken by a security rule
`blade`	`product`	Software Blade
`destination`	`dst`	Traffic destination IP address, DNS name or Check Point network object name
`origin`	`orig`	Name of originating Security Gateway
`service`		Service that generated the log entry
`source`	`src`	Traffic source IP address, DNS name or Check Point network object name
`user`		User name

Syntax for a field name query:

<field name>:<values>

<field name> - One of the predefined field names
<values> - One or more filters

To search for rule number, use the Rule field name. For example:

rule:7.1

If you use the rule number as a filter, rules in all the Layers with that number are matched.

To search for a rule name, you must not use the Rule field. Use free text. For example:

"Block Credit Cards"

Best practice: Do a free text search for the rule name. Make sure rule names are unique and not reused in different Layers.

Examples:

source:192.168.2.1
action:(Reject OR Block)
You can use the OR Boolean operator in parentheses to include multiple criteria values.

Important - When you use fields with multiple values, you must:

Write the Boolean operator, for example AND.
Use parentheses.

Boolean Operators

You can use the Boolean operators AND, OR, and NOT to create filters with many different criteria. You can put multiple Boolean expressions in parentheses.

If you enter more than one criteria without a Boolean operator, the AND operator is implied. When you use multiple criteria without parentheses, the OR operator is applied before the AND operator.

Examples:

blade:"application control" AND action:block
Shows log records from the Application & URL Filtering Software Blade where traffic was blocked.
192.168.2.133 10.19.136.101
Shows log entries that match the two IP addresses. The AND operator is presumed.
192.168.2.133 OR 10.19.136.101
Shows log entries that match one of the IP addresses.
(blade:Firewall OR blade:IPS OR blade:VPN) AND NOT action:drop
Shows all log entries from the Firewall, IPS or VPN blades that are not dropped. The criteria in the parentheses are applied before the AND NOT criterion.
source:(192.168.2.1 OR 192.168.2.2) AND destination:17.168.8.2
Shows log entries from the two source IP addresses if the destination IP address is 17.168.8.2. This example also shows how you can use Boolean operators with field criteria.