Logging and Monitoring Clients

Monitor logs and events using customizable views and reports. Use these GUI clients:

SmartConsole >
Logs & Monitor

Analyze events that occur in your environment with customizable views and reports.

The Logs view replaces the SmartView Tracker and SmartLog GUI clients.

SmartView Web Application

A SmartEvent Web application. It has the same real-time event monitoring and analysis views as SmartConsole, with the convenience of not having to install a client.

Browse to: https://<Server IP>/smartview/, where <Server IP> is IP address of the Security Management Server or SmartEvent server.

These GUI clients are still supported:

SmartEvent

For initial settings - configure the SmartEvent Correlation Units, Log Servers, Domains and Internal Network.
For the correlation policy (event definitions)
For Automatic Reactions

SmartView Monitor

To monitor tunnels
To monitor users
For suspicious activity rules
To monitor alerts - Thresholds configuration

For more about monitoring, see Monitoring Traffic and Connections.

To open the SmartEvent GUI client:

Open SmartConsole > Logs & Monitor.
Click (+) for a Catalog (new tab).
In the External Apps section, click SmartEvent Settings & Policy.

To open the SmartView Monitor GUI client:

Open SmartConsole > Logs & Monitor.
Click (+) for a Catalog (new tab).
In the External Apps section, click Tunnel & User Monitoring.

Understanding Logging

Security Gateways generate logs, and the Security Management Server generates audit logs. The Security Policy that is installed on each Security Gateway determines which rules generate logs.

Logs can be stored on a:

Security Management Server that collects logs from the Security Gateways. This is the default.
Log Server on a dedicated machine. This is recommended for organizations that generate a lot of logs.
Security Gateway. This is called local logging.

To find out how much storage is necessary for logging, see sk87263 or the new appliance datasheet.

In a Multi-Domain Security Management environment, the Security Gateways send logs to the Domain Management Server. The Multi-Domain Server generates logs, and they can be stored on the Multi-Domain Server. To learn how to deploy logging in a Multi-Domain Security Management environment, see the R80.20 Multi-Domain Security Management Administration Guide.

To learn how to monitor the Log Receive Rate on the Security Management Server / Log Server in R80 and higher, see sk120341.

To decrease the load on the Security Management Server, you can install a dedicated Log Server and configure the gateways to send their logs to this Log Server. To see the logs from all the Log Servers, connect to the Security Management Server with SmartConsole, and go to the Logs & Monitor view Logs tab.

A Log Server handles log management activities:

Automatically starts a new log file when the existing log file gets to the defined maximum size.
Handles backup and restore for log files.
Stores log files for export and import.
Makes an index of the logs. Therefore, log queries work quickly.