Logs

What can I do here?

Use this window to see logs from all Security Gateways. The logs are stored on the Security Management Server and Log Servers.

Getting Here - Logs & Monitor > Open Log View

Log Analysis

SmartConsole lets you transform log data into security intelligence. Search results are fast and immediately show the log records you need. The Security Gateways send logs to the Log Servers on the Security Management Server or on a dedicated server. Logs show on the SmartConsole Logs & Monitor Logs tab. You can:

• Quickly search through logs with simple Google-like searches.
• Select from many predefined search queries to find the applicable logs.
• Create your own queries using a powerful query language.
• Monitor logs from administrator activity and connections in real-time.

Enabling Log Indexing

Log indexing on the Security Management Server or Log Server reduces the time it takes to run a query on the logs. Log indexing is enabled by default.

In a standalone deployment, log indexing is disabled by default. Enable log indexing only if the standalone computer CPU has 4 or more cores.

To manually enable Log Indexing:

1. Open SmartConsole.
2. From the Gateways & Servers view, double-click the Security Management Server or Log Server object.

   The General Properties window opens.

3. In the Management tab, select Logging & Status.
4. From the navigation tree, click Logs.
5. Select Enable Log Indexing.
6. Click OK.
7. Click Publish.
8. From Menu, select Install Database.

Customizing the Results Pane

By default, SmartConsole shows a predefined set of columns and information based on the selected blade in your query. This is known as the Column Profile. For example:

• The DLP column profile includes columns for: Blade, Type, DLP Incident UID, and severity.
• The Threat Prevention column profile includes columns for: Origin, Action, Severity, and Source User.

A column profile is assigned based on the blade that occurs most frequently in the query results. This is called Automatic Profile Selection, and is enabled by default.

The Column Profile defines which columns show in the Results Pane and in which sequence. You can change the Column Profile as necessary for your environment.

To use the default Column Profile assignments:

• Right-click a column heading and select Columns Profile > Automatic Profile Selection.

To manually assign Column Profile assignments by default:

• Right-click a column heading and select Columns Profile > Manual Profile Selection.

To manually assign a different Column Profile:

1. Right-click a column heading and select Columns Profile.
2. Select a Column Profile from the options menu.

To change a Column Profile:

1. Right-click a column heading and select Columns Profile > Edit Profile.
2. In the Show Fields window, select a Column Profile to change.
3. Select fields to add from the Available Fields column.
4. Click Add.
5. Select fields to remove from the Selected Fields column.
6. Click Remove.
7. Select a field in the Selected Fields.
8. Click Move Up or Move Down to change its position in the Results Pane.
9. Double-click the Width column to change the default column width for the selected field.
10. To change the column width, drag the right column border in the Results Pane.
11. To save the column width, right-click and select Save Profile.

    The column is applicable to future sessions.

Viewing Rule Logs

You can search for the logs that are generated by a specific rule, from the Security Policy or from the Logs & Monitor > Logs tab.

To see logs generated by a rule (from the Security Policy):

1. In SmartConsole, go to the Security Policies view.
2. In the Access Control Policy or Threat Prevention Policy, select a rule.
3. In the bottom pane, click one of these tabs to see:
   • Summary - Rule name, rule action, rule creation information, and the hit count. Add custom information about the rule.
   • Details (Access Control Policy only) - Details for each column. Select columns as necessary.
   • Logs - By default, shows the logs for the Current Rule. You can filter them by Source, Destination, Blade, Action, Service, Port, Source Port, Rule (Current rule is the default), Origin, User, or Other Fields.
   • History (Access Control Policy only) - List of rule operations in chronological order, with the information about the rule type and the administrator that made the change.

To see logs generated by a rule (by Searching the Logs):

1. In SmartConsole, go to the Security Policies view.
2. In the Access Control Policy or Threat Prevention Policy, select a rule.
3. Right-click the rule number and select Copy Rule UID.
4. In the Logs & Monitor > Logs tab, search for the logs in one of these ways:
   • Paste the Rule UID into the query search bar and press Enter.
   • For faster results, use this syntax in the query search bar:

     layer_uuid_rule_uuid:*_<UID>

     For example, paste this into the query search bar and press Enter:

     layer_uuid_rule_uuid:*_46f0ee3b-026d-45b0-b7f0-5d71f6d8eb10