Logging

In This Section: Log Analysis Sample Log Analysis Using the Log View SmartView Log Viewer Working with Logs Working with Syslog Servers

Log Analysis

SmartConsole lets you transform log data into security intelligence. Search results are fast and immediately show the log records you need. The Security Gateways send logs to the Log Servers on the Security Management Server or on a dedicated server. Logs show on the SmartConsole Logs & Monitor Logs tab. You can:

• Quickly search through logs with simple Google-like searches.
• Select from many predefined search queries to find the applicable logs.
• Create your own queries using a powerful query language.
• Monitor logs from administrator activity and connections in real-time.

Sample Log Analysis

This is a sample procedure that shows how to do an analysis of a log of a dropped connection.

To show a log of a dropped connection:

1. Log into SmartConsole.
2. Connect to the IP address of the Security Management Server, not to a Log Server.
3. In the Security Policies > Access Control > Policy view, select a rule with the Drop action.
4. In the bottom pane, click Logs.

   This shows the logs for connections that were dropped by the Rule Base.

5. Double-click a log.

   The Log Details window opens.

Using the Log View

This is an example of the Log view.

Item	Description
1	Queries - Predefined and favorite search queries.
2	Time Period - Search with predefined custom time periods.
3	Query search bar - Define custom queries in this field. You can use the GUI tools or manually enter query criteria. Shows the query definition for the most recent query.
4	Log statistics pane - Shows top results of the most recent query.
5	Results pane - Shows log entries for the most recent query.

SmartView Log Viewer

You can view logs through the integrated log viewer in SmartConsole, or use SmartView from the web browser.

SmartView advantages:

• Available for non-admin users
• Export up to 1M logs
• Integrated top statistics and docked card
• Support for High Contrast theme

To access SmartView:

From the browser:

Go to: https://<management IP address>/SmartView/

From SmartConsole:

Click Logs & Monitoring.

SmartView opens by default in the General Overview tab. This shows the statistics, Software Blades, timelines, and more. Any open tabs from the previous session are retained. Note - SmartView log viewer is available even without SmartEvent, but the default page is different.

To open a new tab, click +.

The Audit Logs tab shows audit logs which are changes done in the management. The Logs > Logs View tab shows blade activities.

To select which columns are shown:

1. Right click on a column heading and select Profile editor.

   The Profile editor window opens.

2. Select fields to add to or remove from the selected profile.
3. Click OK.

To set user display preferences:

1. Click the arrow next to your user name and select User Preferences.
2. For Locale, select the display language.
3. For First day of the week, select the day of the week for the weekly logs to start.
4. For Theme, select Default or High Contrast. In High Contrast, the view display is white text on a black background.
5. For Email server settings, select Edit to enter the email server details.
6. Click OK.

Exporting Logs

Apply a filter to select the logs you want to export. You can only export logs to Excel. (Exporting a template or PDF is disabled until creating custom log views is supported).

To export logs:

1. In the Logs tab, click Options and select Export > Export to Excel.

   The Excel Export window opens.

2. Select the Logs Amount.
3. Select the Exported Columns - All columns or Visible columns.
4. Click OK.
5. A popup shows when the export process starts. When you see a message that the exported completed successfully, click Download. All exported logs also appear in the archive tab.

Use Case for SmartView

Use Case – You are the system administrator at a small company and are concerned that some employees spend too much time looking at Facebook. You want a way to monitor the employee application use.

You can use the integrated Log Viewer in SmartConsole or the SmartView Log Web Viewer to look at the traffic logs.

In SmartConsole:

1. Go to Logs and Monitoring > View.
2. Click New, and select New View.
3. In the New View window, enter:
   • Name
   • Category – Select Access Control
   • Description (optional)
4. In the new window that opens, create a query. Click Options > View Filter and select blade and app control.
5. Click Add Widget to customize how you see the data that comes back from the query.

   Start with a Timeline of all events.

   In Table, you can create a table that contains multiple fields such as user, application name, and the amount of traffic. There are more widgets you can use: map, infographic, rich text, chart, and container (for multiple widgets).

   After you save the dashboard (done), you can schedule and get an automatic email at multiple intervals.

In SmartView (web browser):

In SmartView, you first filter for the application and then by user.

1. Click the + icon to open a new tab and select Views > Access Control
2. Right click the User column and drill down to see the user activity or create a filter for this user in your current view.

You can schedule for all activities for a user, but cannot set the system to trigger an alert at a certain threshold.

Working with Logs

In This Section: Choosing Rules to Track Configuring Tracking in a policy Rule Tracking Options Log Sessions Viewing Rule Logs Packet Capture Searching the Logs Query Language Overview

Choosing Rules to Track

Logs are useful if they show the traffic patterns you are interested in. Make sure your Security Policy tracks all necessary rules. When you track multiple rules, the log file is large and requires more disk space and management operations.

To balance these requirements, track rules that can help you improve your cyber security, help you understand of user behavior, and are useful in reports.

Configuring Tracking in a policy Rule

To configure tracking in a rule:

1. Right-click in the Track column.
2. Select a tracking option.
3. Install the policy.

Tracking Options

Select these options in the Track column of a rule:

• None - Do not generate a log.
• Log - This is the default Track option. It shows all the information that the Security Gateway used to match the connection. At a minimum, this is the Source, Destination, Source Port, and Destination Port. If there is a match on a rule that specifies an application, a session log shows the application name (for example, Dropbox). If there is a match on a rule that specifies a Data Type, the session log shows information about the files, and the contents of the files.
• Accounting - Select this to update the log at 10 minutes intervals, to show how much data has passed in the connection: Upload bytes, Download bytes, and browse time.

Note - When upgrading from R77.xx or from R80 to R80.20.M1, there are changes to the names of the options in the Track column. To learn more see sk116580.

Advanced Track options

Detailed Log and Extended Log are only available if one or more of these Blades are enabled on the Layer: Applications & URL Filtering, Content Awareness, or Mobile Access.

• Detailed Log - Equivalent to the Log option, but also shows the application that matched the connections, even if the rule does not specify an application. Best Practice - Use for a cleanup rule (Any/Internet/Accept) of an Applications and URL Filtering Policy Layer that was upgraded from an R77 Application Control Rule Base.
• Extended Log - Equivalent to the Detailed option, but also shows a full list of URLs and files in the connection or the session. The URLs and files show in the lower pane of the Logs view.

Log Generation

• per Connection - Select this to show a different log for each connection in the session. This is the default for rules in a Layer with only Firewall enabled. These are basic firewall logs.
• per Session - Select this to generate one log for all the connections in the same session. This is the default for rules in a Layer with Applications and URL Filtering or Content Awareness enabled. These are basic Application Control logs.

Alert:

For each alert option, you can define a script in Menu > Global Properties > Log and Alert > Alerts.

• None - Do not generate an alert.
• Alert - Generate a log and run a command, such as: Show a popup window, send an email alert or an SNMP trap alert, or run a user-defined script as defined in the Global Properties.
• SNMP - Send an SNMP alert to the SNMP GUI, or run the script defined in the Global Properties.
• Mail - Send an email to the administrator, or run the mail alert script defined in the Global Properties.
• User Defined Alert - Send one of three possible customized alerts. The alerts are defined by the scripts specified in the Global Properties.

Log Sessions

A session is a user's activity at a specified site or with a specified application. The session starts when a user connects to an application or to a site. The Security Gateway includes all the activity that the user does in the session in one session log.

To search for log sessions:

In the Logs tab of the Logs & Monitor view, search for type:Session

To see details of the log session:

In the Logs tab of the Logs & Monitor view, select a session log.

In the bottom pane of the Logs tab, click the tabs to see details of the session log:

• Connections - Shows all the connections in the session. These show if Per connection is selected in the Track option of the rule.
• URLs - Shows all the URLs in the session. These show if Extended Log is selected in the Track option of the rule.
• Files - Shows all the files uploaded or downloaded in the session. These show if Extended Log is selected in the Track option of the rule, or if a Data Type was matched on the connection.

To see the session log for a connection that is part of a session:

1. In the Logs tab of the Logs & Monitor view, double-click on the log record of a connection that is part of a session.
2. In the Log Details, click the session icon (in the top-right corner) to see the session log.

To configure the session timeout:

By default, after a session continues for three hours, the Security Gateway starts a new session log. You can change this in SmartConsole from the Manage & Settings view, in Blades > Application & URL Filtering > Advanced Settings > General > Connection unification.

For sessions that are blocked by the Access Control Policy, the Security Gateway starts a new session log after 30 seconds. A blocked session log include all the connections that are blocked in this period.

Viewing Rule Logs

You can search for the logs that are generated by a specific rule, from the Security Policy or from the Logs & Monitor > Logs tab.

To see logs generated by a rule (from the Security Policy):

1. In SmartConsole, go to the Security Policies view.
2. In the Access Control Policy or Threat Prevention Policy, select a rule.
3. In the bottom pane, click one of these tabs to see:
   • Summary - Rule name, rule action, rule creation information, and the hit count. Add custom information about the rule.
   • Details (Access Control Policy only) - Details for each column. Select columns as necessary.
   • Logs - By default, shows the logs for the Current Rule. You can filter them by Source, Destination, Blade, Action, Service, Port, Source Port, Rule (Current rule is the default), Origin, User, or Other Fields.
   • History (Access Control Policy only) - List of rule operations in chronological order, with the information about the rule type and the administrator that made the change.

To see logs generated by a rule (by Searching the Logs):

1. In SmartConsole, go to the Security Policies view.
2. In the Access Control Policy or Threat Prevention Policy, select a rule.
3. Right-click the rule number and select Copy Rule UID.
4. In the Logs & Monitor > Logs tab, search for the logs in one of these ways:
   • Paste the Rule UID into the query search bar and press Enter.
   • For faster results, use this syntax in the query search bar:

     layer_uuid_rule_uuid:*_<UID>

     For example, paste this into the query search bar and press Enter:

     layer_uuid_rule_uuid:*_46f0ee3b-026d-45b0-b7f0-5d71f6d8eb10

Packet Capture

You can capture network traffic. The content of the packet capture provides a greater insight into the traffic which generated the log. With this feature activated, the Security Gateway sends a packet capture file with the log to the log server. You can open the file, or save it to a file location to retrieve the information a later time.

The packet capture option is activated by default.

To deactivate packet capture:

1. In SmartConsole, in the Security Policies view
2. In the Track column of the rule, right-click and clear Packet Capture.

To see a packet capture:

1. In SmartConsole, go to the Logs & Monitor view.
2. Open the log.
3. Click the link in the Packet Capture field.

   The Packet Capture Viewer Output window opens.

4. Optional: Click Save to save the packet capture data as a text file.

Searching the Logs

SmartConsole lets you quickly and easily search the logs with many predefined log queries, and an easy to use language for custom queries.

Running Queries

To create and run a query:

1. In the query search bar, click Enter Search Query (Ctrl+F).
2. Enter or select query criteria.

To manually refresh your query:

Click Refresh (F5).

To continuously refresh your query (Auto-Refresh):

Click Auto-Refresh (F6). The icon is highlighted when Auto-Refresh is enabled.

The query continues to update every five seconds while Auto-Refresh is enabled. If the number of logs exceeds 100 in a five-second period, the logs are aggregated, and the summary view shows. To see all logs aggregated in a specific time interval, click View.

Showing Query Results

Query results can include tens of thousands of log records. To prevent performance degradation, SmartConsole only shows the first set of results in the Results pane. Typically, this is a set of 50 results.

Scroll down to show more results. As you scroll down, SmartConsole extracts more records from the log index on the Security Management Server or Log Server, and adds them to the results set. See the number of results above the Results pane.

For example, on the first run of a query, you can see the first 50 results out of over 150,000 results. When you scroll down, you can see the first 100 results out of over 150,000.

Customizing the Results Pane

By default, SmartConsole shows a predefined set of columns and information based on the selected blade in your query. This is known as the Column Profile. For example:

• The DLP column profile includes columns for: Blade, Type, DLP Incident UID, and severity.
• The Threat Prevention column profile includes columns for: Origin, Action, Severity, and Source User.

A column profile is assigned based on the blade that occurs most frequently in the query results. This is called Automatic Profile Selection, and is enabled by default.

The Column Profile defines which columns show in the Results Pane and in which sequence. You can change the Column Profile as necessary for your environment.

To use the default Column Profile assignments:

• Right-click a column heading and select Columns Profile > Automatic Profile Selection.

To manually assign Column Profile assignments by default:

• Right-click a column heading and select Columns Profile > Manual Profile Selection.

To manually assign a different Column Profile:

1. Right-click a column heading and select Columns Profile.
2. Select a Column Profile from the options menu.

To change a Column Profile:

1. Right-click a column heading and select Columns Profile > Edit Profile.
2. In the Show Fields window, select a Column Profile to change.
3. Select fields to add from the Available Fields column.
4. Click Add.
5. Select fields to remove from the Selected Fields column.
6. Click Remove.
7. Select a field in the Selected Fields.
8. Click Move Up or Move Down to change its position in the Results Pane.
9. Double-click the Width column to change the default column width for the selected field.
10. To change the column width, drag the right column border in the Results Pane.
11. To save the column width, right-click and select Save Profile.

    The column is applicable to future sessions.

Creating Custom Queries

Queries can include one or more criteria. To create custom queries, use one or a combination of these basic procedures:

• Right-click columns in the grid view and select Add Filter.
• Click in the Query search bar and select the fields and filter criteria for those fields.
• Manually enter filter criteria in the Query search bar.

To create a new custom query, run an existing query, and use one of these procedures to change it. You can save the new query in the Favorites list.

When you create complex queries, the log search tool suggests, or automatically enters, an appropriate Boolean operator. This can be an implied AND operator, which does not explicitly show.

Selecting Query Fields

You can enter query criteria directly from the Query search bar.

To select field criteria:

1. If you start a new query, click Clear to remove query definitions.
2. Put the cursor in the Query search bar.
3. Select a criterion from the drop-down list or enter the criteria in the Query search bar.

Selecting Criteria from Grid Columns

You can use the column headings in the Grid view to select query criteria. This option is not available in the Table view.

To select query criteria from grid columns:

1. In the Results pane, right-click on a column heading.
2. Select Add Filter.
3. Select or enter the filter criteria.
   The criteria show in the Query search bar and the query runs automatically.

To enter more criteria, use this procedure or other procedures.

Manually Entering Query Criteria

You can enter query criteria directly in the Query search bar. You can manually create a new query or make changes to an existing query that shows in the Query search bar.

As you enter text, the Search shows recently used query criteria or full queries. To use these search suggestions, select them from the drop-down list. If you make a syntax error in a query, the Search shows an error message that identifies the error and suggests a solution.

Query Language Overview

A powerful query language lets you show only selected records from the log files, according to your criteria. To create complex queries, use Boolean operators, wildcards, fields, and ranges. This section refers in detail to the query language.

When you use SmartConsole to create a query, the applicable criteria show in the Query search bar.

The basic query syntax is [<Field>:] <Filter Criterion>.

To put together many criteria in one query, use Boolean operators:

[<Field>:] <Filter Criterion> AND|OR|NOT [<Field>:] <Filter Criterion> ...

Most query keywords and filter criteria are not case sensitive, but there are some exceptions. For example, source:<X> is case sensitive (Source:<X> does not match). If your query results do not show the expected results, change the case of your query criteria, or try upper and lower case.

When you use queries with more than one criteria value, an AND is implied automatically, so there is no need to add it. Enter OR or other boolean operators if needed.

Criteria Values

Criteria values are written as one or more text strings. You can enter one text string, such as a word, IP address, or URL, without delimiters. Phrases or text strings that contain more than one word must be surrounded by quotation marks.

One word string examples:

• John
• inbound
• 192.168.2.1
• mahler.ts.example.com
• dns_udp

Phrase examples

• "John Doe"
• "Log Out"
• "VPN-1 Embedded Connector"

IP Addresses

IPv4 and IPv6 addresses used in log queries are counted as one word. Enter IPv4 address with dotted decimal notation and IPv6 addresses with colons. You can also use the '*' wildcard character with IP addresses.

Example:

• 192.0.2.1
• 2001:db8::f00:d

NOT Values

You can use NOT <field> values with field keywords in log queries to find logs for which the value of the field is not the value in the query.

Syntax

NOT <field>:<value>

Example

NOT src:10.0.4.10

Wildcards

You can use the standard wildcard characters (* and ?) in queries to match variable characters or strings in log records. You can use more than the wildcard character.

Wildcard syntax

• The ? (question mark) matches one character.
• The * (asterisk) matches a character string.

Examples:

• Jo? shows Joe and Jon, but not Joseph.
• Jo* shows Jon, Joseph, and John Paul.

If your criteria value contains more than one word, you can use the wildcard in each word. For example, 'Jo* N*' shows Joe North, John Natt, Joshua Named, and so on.

Using Wildcards with IP Addresses

The wildcard character is useful when used with IPv4 addresses. It is a best practice to put the wildcard character after an IP address delimiter.

Examples:

• 192.168.2.* shows all records for 192.168.2.0 to 192.168.2.255 inclusive
• 192.168.* shows all records for 192.168.0.0 to 192.168.255.255 inclusive

Field Keywords

You can use predefined field names as keywords in filter criteria. The query result only shows log records that match the criteria in the specified field. If you do not use field names, the query result shows records that match the criteria in all fields.

This table shows the predefined field keywords. Some fields also support keyword aliases that you can type as alternatives to the primary keyword.

Keyword	Keyword Alias	Description
severity		Severity of the event
app_risk		Potential risk from the application, of the event
protection		Name of the protection
protection_type		Type of protection
confidence_level		Level of confidence that an event is malicious
action		Action taken by a security rule
blade	product	Software Blade
destination	dst	Traffic destination IP address, DNS name or Check Point network object name
origin	orig	Name of originating Security Gateway
service		Service that generated the log entry
source	src	Traffic source IP address, DNS name or Check Point network object name
user		User name

Syntax for a field name query:

<field name>:<values>

• <field name> - One of the predefined field names
• <values> - One or more filters

To search for rule number, use the Rule field name. For example:

rule:7.1

If you use the rule number as a filter, rules in all the Layers with that number are matched.

To search for a rule name, you must not use the Rule field. Use free text. For example:

"Block Credit Cards"

Best practice: Do a free text search for the rule name. Make sure rule names are unique and not reused in different Layers.

Examples:

• source:192.168.2.1
• action:(Reject OR Block)

  You can use the OR Boolean operator in parentheses to include multiple criteria values.

Important - When you use fields with multiple values, you must:

• Write the Boolean operator, for example AND.
• Use parentheses.

Boolean Operators

You can use the Boolean operators AND, OR, and NOT to create filters with many different criteria. You can put multiple Boolean expressions in parentheses.

If you enter more than one criteria without a Boolean operator, the AND operator is implied. When you use multiple criteria without parentheses, the OR operator is applied before the AND operator.

Examples:

• blade:"application control" AND action:block
  Shows log records from the Application & URL Filtering Software Blade where traffic was blocked.
• 192.168.2.133 10.19.136.101
  Shows log entries that match the two IP addresses. The AND operator is presumed.
• 192.168.2.133 OR 10.19.136.101
  Shows log entries that match one of the IP addresses.
• (blade:Firewall OR blade:IPS OR blade:VPN) AND NOT action:drop
  Shows all log entries from the Firewall, IPS or VPN blades that are not dropped. The criteria in the parentheses are applied before the AND NOT criterion.
• source:(192.168.2.1 OR 192.168.2.2) AND destination:17.168.8.2
  Shows log entries from the two source IP addresses if the destination IP address is 17.168.8.2. This example also shows how you can use Boolean operators with field criteria.

Working with Syslog Servers

Syslog (System Logging Protocol) is a standard protocol used to send system log or event messages to a specific server, the syslog server. The syslog protocol is enabled on most network devices such as routers and switches.

Use Case

Syslog is used by many log analysis tools included in the cloud. If you want to use these tools, make sure Check Point logs are sent to from the gateway to the syslog server in syslog format.

By default, gateway logs are sent to the Security Management Server. But you can configure gateways to send logs directly to syslog servers.

1. Define syslog servers.
2. Update the logging properties of the gateways.

These syslog protocols are supported: RFC 3164 (old) and RFC 5424 (new)

These features are not supported: IPv6 logs and Software Blade logs.

To create a syslog server:

1. Open Object Explorer > New > Server > More > Syslog.
2. Configure these fields:
   • Name - Enter a name for this server, to be a unique network object.
   • Host - Select an existing host or click New to define a new computer or appliance.
   • Port - Enter the port number for syslog traffic. (Default = 514)
   • Version - Select BSD Protocol or Syslog Protocol.
3. Click OK.

   Note - Syslog is not an encrypted protocol. Make sure the Security Gateway and the Log Proxy are located close to each other and that they communicate over a secure network.

   You can configure a gateway to send logs to multiple syslog servers. The syslog servers must be the same type: BSD Protocol or Syslog Protocol.

To send the logs of a gateway to syslog servers:

1. In SmartConsole on the gateway Properties > General Properties page > Management tab make sure Logging & Status is selected.
2. On the Logs page, in the Send logs and alerts to these log servers table, click the green (+) button to add syslog servers.

   Note - You cannot configure a Syslog server as a backup server.

3. Click OK.
4. Install policy.

The fwsyslog_enable kernel parameter enables or disables the Syslog in Kernel feature:

0 = Disabled (default)

1 = Enabled

You can enable or disable Syslog in Kernel temporarily (until the system reboots) or permanently (until manually disabled).

To temporarily enable Syslog in Kernel on a Security Gateway:

1. Run: # fw ctl set int fwsyslog_enable 1
2. Install Policy.

To permanently enable Syslog in Kernel on a Security Gateway:

1. Run:

   echo fwsyslog_enable=1 >> $FWDIR/modules/fwkern.conf

2. Reboot the Security Gateway or cluster members.

To disable Syslog in Kernel temporarily:

Run: # fw ctl set int fwsyslog_enable 0

To disable Syslog in Kernel permanently:

1. Open $FWDIR/modules/fwkern.conf in a text editor and do one of these actions:
   • Set fwsyslog_enable=0

     or

   • Delete the fwsyslog_enable line.
2. Reboot the Security Gateway.

To see the Syslog in Kernel status:

[Expert@host:0]# fw ctl get int fwsyslog_enable

You can see the count of logs sent to syslog from the kernel. Log counters start when you install the policy.

To see log count for an instance:

[Expert@host:0]# fw -i <instance_number> ctl get size fwsyslog_nlogs_counter

Sample output:

fwsyslog_nlogs_counter = 21

To see log count for all instances:

1. Open two command line connections to the Security Gateway.
2. On the first CLI connection, run: # fw ctl zdebug
3. On the second CLI connection, run: # fw ctl set size fwsyslog_print_counter 1
4. On the first shell, see the counter for each instance and the sum of all instances.

Sample output:

;[cpu_2];[fw4_0];Number of logs sent from instance 0 is 43;

;[cpu_2];[fw4_0];Number of logs sent from instance 1 is 39;

;[cpu_2];[fw4_0];Number of logs sent from instance 2 is 50;

;[cpu_2];[fw4_0];Total fwsyslog_nlogs_counter = 132;

To see the Syslog in Kernel status:

[Expert@host:0]# fw ctl get int fwsyslog_enable

You can see the count of logs sent to syslog from the kernel. Log counters start when you install the policy.

To see log count for an instance:

[Expert@host:0]# fw -i <instance_number> ctl get size fwsyslog_nlogs_counter

Sample output:

fwsyslog_nlogs_counter = 21

To see log count for all instances:

1. Open two command line connections to the Security Gateway.
2. On the first CLI connection, run: # fw ctl zdebug
3. On the second CLI connection, run: # fw ctl set size fwsyslog_print_counter 1
4. On the first shell, see the counter for each instance and the sum of all instances.

Sample output:

;[cpu_2];[fw4_0];Number of logs sent from instance 0 is 43;

;[cpu_2];[fw4_0];Number of logs sent from instance 1 is 39;

;[cpu_2];[fw4_0];Number of logs sent from instance 2 is 50;

;[cpu_2];[fw4_0];Total fwsyslog_nlogs_counter = 132;

For more on syslog, see: Manual Syslog Parsing