Views and Reports

In This Section: Enabling Views and Reports Catalog of Views and Reports Views Making a Custom View Video Reports Making a Custom Report Automatic View and Report Updates Opening a View or Report Exporting Views and Reports Exporting and Importing Templates Scheduling a View or Report Customizing a View or Report Widgets

You can create rich and customizable views and reports for log and event monitoring. These inform key stakeholders about security activities.

Use these GUIs:

• SmartConsole > Logs & Monitor
• SmartView Web Application - for generating and editing views in a browser:
  https://<Server IP>/smartview/

  <Server IP> is IP address of the Security Management Server or SmartEvent server.

Enabling Views and Reports

To enable SmartEvent views and reports, you must install and configure a SmartEvent Server.

Catalog of Views and Reports

In the Logs & Monitor view, click the (+) tab to open a catalog of all views and reports, predefined and customized. Click a view or report to open it.

Item	Description
1	Open Log View - See and search through the logs from all Log Servers. You can also search the logs from a Log Server that you choose. Open Audit Logs View - See and search records of actions done by SmartConsole administrators. These views come from the Log Servers. Other views come from the SmartEvent Server.
2	Compliance View - Optimize your security settings and ensure compliance with regulatory requirements.
3	Views - The list of predefined and customized views. A view is an interactive dashboard made up of widgets. The view tells administrators and other stakeholders about security and network events. Each widget is the output of a query. Widgets can show the information as a chart, table, or some other format. To find out more about the events, double-click a widget to drill down to a more specific view or raw log files.
4	Reports - The list of predefined and customized reports. A report has multiple pages, and applies to the time that the report is generated. There are several predefined reports, and you can create new reports. A reports gives more details than a view. Reports can be customized, filtered, generated and scheduled. You cannot drill down into a report.
5	Favorites - Use this view to collect the views and reports you use the most.
6	Switch to Table View or Thumbnails View - The Table view is the default for views and reports. The Thumbnails view is the default for the Favorites and Recent views and reports
7	Scheduled Tasks - See and edit scheduled tasks. Archive - Completed and in-progress tasks for generating and exporting reports.
8	External Apps SmartEvent Settings & Policy - The SmartEvent GUI client. Use it for initial setup and to define the SmartEvent Correlation Unit policy. The views in SmartConsole are a replacement for those in the R77.x SmartEvent GUI client. Open Tunnel and User Monitoring - The SmartView Monitor GUI Client. The monitoring views in SmartConsole are a replacement for those in the R77.x SmartView Monitor GUI client, except for Tunnel and User Monitoring. SmartView Web Application - A SmartEvent Web application that you can use to analyze events that occur in your environment. Use it to see an overview of the security information for your environment. It has the same real-time event monitoring and analysis views as SmartConsole, with the convenience of not having to install a client.

Views

Views tells administrators and other stakeholders about security and network events. A view is an interactive dashboard made up of widgets. Each widget is the output of a query. A Widget can show information in different formats, for example, a chart or a table.

SmartConsole comes with several predefined views. You can create new views that match your needs, or you can customize an existing view.

In the Logs & Monitor view, clicking the (+) tab opens a catalog of all views and reports, predefined and customized. Double-click a view to open it.

Item	Description
1	Widget- The output of a query. A Widget can show information in different formats, for example, a chart or a table.
2	Drill Down - To find out more about the events, double-click a widget to drill down to a more specific view or raw log files.
3	Options - Customize the view, restore defaults, Hide Identities, export.
4	Queries - Predefined and favorite search queries
5	Time Period - Specify the time periods for the view.
6	Query search bar - Define custom queries using the GUI tools, or manually entering query criteria. Shows the query definition for the most recent query.

Making a Custom View Video

Reports

A report has multiple pages, and applies to the time that the report is generated.

A page is an interactive dashboard made up of widgets. Each widget displays the output of a query.

There are several predefined reports, and you can create new reports. A report gives more details than a view. Reports can be customized, filtered, generated and scheduled. You cannot drill down into a report.

In the Logs & Monitor view, clicking the (+) tab opens a catalog of all views and reports, predefined and customized. Double-click a report to open it.

Item	Description
1	Preview bar - A report is divided onto pages, usually, one view on one page. Editing a report is done per page, in the same way as you edit a view.
2	Options - Customize, and generate a report.
3	Time Period - Specify the time periods for the report.
4	Query Search bar - Define custom queries using the GUI tools, or manually entering query criteria. Shows the query definition for the most recent query.

Making a Custom Report

Automatic View and Report Updates

SmartEvent automatically downloads new predefined views and reports, and downloads updates to existing predefined ones. To allow this, make sure the management server has Internet connectivity to the Check Point Support Center.

Opening a View or Report

Use the predefined graphical views and reports for the most frequently seen security issues. You can also customize the views and reports.

To open a view or report:

1. In SmartConsole, open the Logs & Monitor view.
2. Click the + tab to open a new tab.
3. Click Views or Reports.
4. Select a view or a report, and click Open.
5. Define the required timeframe, and filter in the search bar.
6. Click Enter.

Exporting Views and Reports

The Export to PDF and Export to Excel options save the current view or report as a PDF or Excel file, based on the defined filters and time frame.

To export a view or report to PDF or Excel:

1. In SmartConsole, open the Logs & Monitor view.
2. Click the + tab to open a new tab.
3. Click Views or Reports.
4. Select a view or report.
5. Click Export to PDF. Optionally:
   • Configure the Period and filter.
   • To automatically send by email to specified recipients each time the view or report runs, configure the Send by email settings

   Alternatively, click Open and from inside the view or report click Options > Export to PDF or Export to Excel.

   

To see your exported views and reports:

1. Add a new tab. Click +.
2. Go to Tasks > Archive.

Generating a Network Activity Report

The Network Activity report shows important firewall connections. For example, top sources, destinations, and services. To create this report, SmartEvent must first index the firewall logs.

To enable the Network Activity Report for R80.10 and higher Gateways:

In SmartConsole, in the Access Control Policy rule, add per Session to the Track settings.

To enable the Network Activity Report for Pre-R80.10 Gateways:

1. In SmartConsole, open the Logs & Monitor view.
2. Click the (+) to open a Catalog (new tab).
3. Click the SmartEvent Settings & Policy link.
4. In the SmartEvent GUI client > Policy tab, select and expand Consolidated Sessions.
5. Select Firewall Session.

   Note - this configuration increases the number of events per day by about five times. To avoid a performance impact, make sure the hardware can handle the load.

To run the Network Activity Report:

1. Open the Logs & Monitor view.
2. Click the (+) to open a Catalog (new tab).
3. Click Reports.
4. Export the Network Activity report.

Exporting and Importing Templates

You can export the view or report layout and widget definitions to a file. This is called a template. You can import the template from another server, or from another administrator.

To export the view or report layout and widget definitions to a file, use the Export Template option

To import the file from another server, or from another administrator, use the Import Template option in the Catalog (new tab).

Scheduling a View or Report

To schedule a view or report, you need to define and edit it in SmartConsole.

To schedule a report:

1. In SmartConsole, open the Logs & Monitor view.
2. Click the + tab to open a new tab.
3. Click Views or Reports.
4. Select a view or a report.
5. Select Actions > Schedule PDF or Schedule Excel.

   The Schedule page of the Export settings window opens.

6. Define the recurrence pattern.
7. Define the Period and Filter.
8. Optional: Configure email settings to get the scheduled view or report automatically. Click Send by Email.

To see your scheduled views and reports:

1. In SmartConsole, open the Logs & Monitor view.
2. Click the + tab to open a new tab.
3. Select Tasks > Scheduled.

Customizing a View or Report

1. In SmartConsole, open the Logs & Monitor view.
2. Click the + tab to open a new tab.
3. Click Views or Reports.
4. Select a view or a report, and click Open.
5. Click Options > Edit.

   

6. For a report: Select the page to edit.

   You can also add or remove pages by clicking one of these:

   

7. Customize the widgets.
8. Add a widget, or arrange widgets in the view: Drag & Drop or expand.
9. Define filters.

Note -

• Use the timeframe to set how the view or report will look.
• The timeframe and search bar are not saved with the view or report definition. Define them as needed when generating the view or report.

View Settings

Views can be configured according to these options:

1. Enter a title.
2. To show more results, this option allows a table to spread across multiple pages when saved to PDF.

   The No page limit option shows all the results for the selected table query, spread across as many pages as required.

Report Settings

Reports can be configured according to these options:

Configuring Email Settings for Views and Reports

You can automatically send views and reports by email to specified recipients each time the view or report runs.

Configuring Email Server Settings

Mail server settings are shared for all email interactions. For each SmartConsole administrator, configure them one time.

To configure email server settings:

1. In SmartConsole, open the Logs & Monitor view.
2. Click the + tab to open a new tab.
3. Click Views or Reports.
4. Select a view or a report.
5. Click Export to PDF, or Actions > Schedule PDF or Actions > Schedule Excel.
6. Click Send by email.
7. In the Email Server section, click Edit
8. Configure the email server options:
   • Sender email address. This shows on all report emails.
   • Outgoing mail server (SMTP).
   • Port
   • Use authentication - if required by the email server, configure a Username and Password.
   • Connection encryption - if required by the email server, choose SSL or TLS.
9. Click OK.

Configuring Email Recipients

Define the email recipients every time you run the view or report, or one time for scheduled reports.

To configure email recipients:

1. In SmartConsole, open the Logs & Monitor view.
2. Click the + tab to open a new tab.
3. Click Views or Reports.
4. Select a view or a report,
5. Click Export to PDF, or Actions > Schedule PDF or Actions > Schedule Excel.
6. Click Send by email.
7. In the Email recipients section, click + to enter an email address. You can add multiple addresses.
8. Click OK.

Adding a Logo to Reports

You can configure reports to show your company logo on report cover pages. The Check Point logo shows on report cover pages.

To add a logo to your reports:

1. Save your logo image as a PNG file with the name cover-company-logo.png.
2. Copy the image to the $RTDIR/smartview/conf directory on the SmartEvent server.

Note: The best image dimensions are 152 pixels wide by 94 pixels high.

Widgets

You can customize the widgets to optimize the visual display. To customize widgets, switch to edit mode. Click Options > Edit.

• To save changes, click Done.
• To cancel changes, click on Discard.
• To restore the predefined view to the default values, click Options > Restore Defaults.

Adding and Customizing Widgets

To add a Widget:

1. Add a widget

   

2. Select a widget type:

   Chart

   

   1. Enter a title.
   2. Select a chart type: vertical bar, horizontal bar, pie, area or line.
   3. Select a data category for the X axis.
   4. Define how the Top Values are calculated (by number of logs, or by traffic).
   5. Set a limit for how many top values to show.
   6. Optional: click Series - split the results into colored groups with different values for the series.

      

   7. Optional: click Customize and define axis titles and legend position.

      

   Timeline

   

   1. Enter a title.
   2. Select a timeline graphical presentation: vertical bar, doughnut, area or line.
   3. Select the data to count.
   4. Advanced - split the results into colored groups, with different values for the Series.
   5. Define the time-granularity. Enter the number of bars or doughnuts to show.

   Table

   

   1. Enter a title.
   2. Manage columns: add, edit, remove, and change the order.
   3. Select a column on the left and define its settings:
      • Enter the number of top values to show.
      • Select how values are sorted.
   4. Select this option to group results with the same value in one row.

   Map

   

   1. Enter a title.
   2. Enter the number of Top Countries to mark.
   3. Select to mark Top Source Countries, Top Destination Countries, or both.
   4. Define how to find the Top Countries (for example, by number of logs or by traffic).

   Infographic

   The infographic widget shows large meaningful values. For example:

   

   Configure an infographic using these settings:

   

   1. Enter a title
   2. Select a field to count. Selecting None means all the logs that match the filter criteria are counted.
   3. Define filter criteria.

      This critieria is in addition to the inherited filters for the report and view layers.

      For more, see Filters.

   4. Optional: Enter an icon name in the field.

      Select a name from the list below. Pay attention to upper and lower case letters and the use of hyphens.

      Icon	Used for
      apps
      attacks
      hosts
      Gateway
      traffic
      usercheck
      users
      new	Audit Logs
      add	Audit Logs
      remove	Audit logs
      modify	Audit logs
      install-policy
      publish
      ips
      anti-bot
      anti-virus
      threat-emulation

   5. Enter primary text that describes the value counted.
   6. Optional: For secondary text, enter a more detailed description.

   Container

   Use a container to unify multiple widgets into one frame. Add a container, then add, edit, or remove the widgets inside it.

   Note - The container widget cannot be added to a container.

   

   1. Enter a title.
   2. Optional: filter at the container level. The filter applies to all internal widgets.
   3. Select the widget order inside the container: Horizontal, Vertical, Grid or Tabs.

   After the container is added to the view, you can configure it further.

   

   1. Remove the widget from the container.
   2. Add a new widget.
   3. Edit the settings for the container, or edit one of the widgets in the list.

   Rich Text

   

   Use this window to add textual explanations to the View text box.

To customize a widget:

1. Drag and drop the widget within the view.
2. Select the graphic presentation that best fits the information you want to see.
3. Select filters for the widget in addition to the inherited filters from the report and view layers. (See: Filters).
4. Configure settings for the widget.
5. Delete a widget.
6. Resize widget.

Filters

The search bar is used to apply on-demand filters, but you can also save filters with the view / report definition.

There are different layers of filters:

1. Filters to apply to the full report.
2. Filters to apply to a view, or a specified page in a report and all widgets that this page includes.
3. Filters to apply to the selected widget.

To edit the view filter:

1. Click the + (plus) button to add a filter.
   To delete a filter, click the X button.
2. Select a field.
   To enable free text search, select Custom Filter.
3. Select a comparison method.
4. Select or enter the value.
   You can define multiple values, separated by a comma.

Filtering for Active Directory User Groups

You can filter reports, views and widgets for one or more Active Directory groups.

1. In your Access Control Policy, create an Access Role that includes all the Active Directory groups you want to have in the query.
2. Install the Access Control Policy on the Security Gateways.
3. Look at the Identity Awareness login logs, and copy the names of the relevant groups. They usually have the prefix "ad_".
4. Add a filter for the field User Group and type or paste the name of the group that you want to include in the filter. For multiple groups, use a comma-separated list.