Print Download PDF Send Feedback

Previous

Next

Logging and Monitoring

In This Section:

Working with Log Servers

Configuring Logging

Log Server Deployment Scenarios

Using the Log View

Monitoring Multi-Domain Management

This chapter includes information that is directly related to Multi-Domain Management, with some general background information and basic procedures. See the R80.30 Logging & Monitoring Administration Guide for the full set of conceptual information and procedures.

With R80, logging, event management, reporting, and monitoring, are more tightly integrated than ever before. Security data and trends are easy to understand at a glance, with Widgets and chart templates that optimize visual display. Logs are now tightly integrated with the Policy rules so that you can access all logs associated with a specific rule by simply clicking on that rule. Free-text search also lets you enter specific search terms to retrieve results from millions of logs in seconds.

One-click exploration makes it easy to move from high-level overview to specific event details such as type of attack, timeline, application type and source. After you investigate an event, it is easy to act on it. Depending on the severity of the event, you can choose to ignore it, act on it later, or block it immediately. You can also easily toggle over to the rules associated with the event to refine your Policy. Send reports to your manager or auditors that show only the content that is relevant to each stakeholder.

In R80.x, SmartReporter and SmartEvent functionality is integrated into SmartConsole.

Using rich and customizable views and reports, R80 introduces a new experience for log and event monitoring.

The new views are available from two locations:

Working with Log Servers

A Domain Log Server is a dedicated host for Domain log files. A Multi-Domain Log Server is a dedicated container for Domain Log Servers. Domain Log Servers also handle these log management activities:

It is a best practice to use Multi-Domain Log Servers and Domain Log Servers to handle logs for a Multi-Domain Management environment because of the large volume of logs.

To see the logs for a Domain and its Security Gateways, click Logs & Monitor in SmartConsole for that Domain. To see logs for all Domains in one view, click Logs & Monitor in the Multi-Domain Server SmartConsole. You can filter the logs for specified Security Gateways, Domain Management Servers, or Domain Log Servers.

Configuring Logging

Creating a Multi-Domain Log Server with Domain Log Servers

This section shows you how to create a new Multi-Domain Log Server and its related Domain Log Servers.

Important: Before you start this procedure, make sure that you define the physical servers as the correct server type (Secondary Multi-Domain Server or Multi-Domain Log Server) during installation. An incorrect definition can cause deployment failure.

To create a new Multi-Domain Log Server:

  1. If you did not do so, install a new R80.30 Multi-Domain Log Server.

    Follow the procedures in the R80.30 Installation and Upgrade Guide.

    Make sure to define this server as a Multi-Domain Log Server in the First Time Configuration Wizard.

  2. Connect with SmartConsole to the primary Multi-Domain Server - the MDS context.
  3. From the left navigation panel, click Multi Domain > Domains.
  4. From the top toolbar, click New > Multi-Domain Log Server.
  5. Enter a unique name for this Multi-Domain Log Server.
  6. Enter the IPv4 address or click Resolve IP to get the IP address from the DHCP Server.
  7. Click Connect to establish SIC trust.

    Enter the same Activation Key you entered during the First Time Configuration Wizard of the Multi-Domain Log Server.

  8. In the Platform section:
    • In the OS field, select Gaia
    • In the Version field, select the correct version
    • In the Hardware field, select the applicable option
  9. Click OK.

To create Domain Log Servers:

  1. Connect with SmartConsole to the primary Multi-Domain Server - the MDS context.
  2. From the left navigation panel, click Multi Domain > Domains.
  3. In the Multi-Domain Log Server column, right-click the Domain Log Server cell for each Domain and click New Domain Server.
  4. Accept the default name or enter a different, unique name.
  5. Enter the IPv4 address or click Resolve IP to automatically assign the IPv4 address.
  6. Click OK.

    Wait for the cell to show the new Domain Log Server.

  7. Configure the Security Gateways in each Domain to the send its logs to the new Domain Log Server on the Multi-Domain Log Server.

    The Domain Log Servers synchronize automatically.

The new Multi-Domain Log Server automatically synchronizes with all existing Multi-Domain Servers. The synchronization operation can take many minutes to complete, during which a notification indicator shows in the task information area.

Configuring Security Gateways to Send Logs to a Log Servers

Logs are not automatically forwarded to a Log Server. You must manually configure each relevant Security Gateway to send its logs to the new Domain Log Server.

To configure Domain Security Gateways to send logs to a Log Server:

  1. Connect to the applicable Domain Management Server with SmartConsole, and then double-click the applicable Security Gateway.
  2. In the Logs section, select the new Log Server from the list.

    You can delete or ignore other Log Servers in the list as necessary.

  3. Click OK.
  4. Configure other log settings as applicable.
  5. Install Policy on the applicable Security Gateways.
  6. Install the database on the Log Servers.

Deleting a Domain Log Server

To delete a Domain Log Server in SmartConsole:

  1. Connect with SmartConsole to the primary Multi-Domain Server - the MDS context.
  2. From the left navigation panel, click Multi Domain > Domains.
  3. In the Multi-Domain Log Server column, right-click the Domain Log Server and then select Delete.

Configuring Log Settings

Disk cleanup deletes the oldest log files when the available disk space is less than a specified value. Disk cleanup settings are controlled at the Multi-Domain Server level and apply to all Domains and Domain Management Servers. Disk cleanup settings configured at the Domain Management Server level are ignored.

These other log management activities, when configured on a Multi-Domain Server, apply only to that Multi-Domain Server:

Configure these activities individually for each Domain Management Server and Log Server.

To configure log settings for a Multi-Domain Server:

  1. In SmartConsole, go to Multi-Domain > Domains.
  2. Double-click the applicable Multi-Domain Server.
  3. Click Log Settings.
  4. In the General view, configure these settings:
    • Cleanup when free disk space is below - Start the disk cleanup procedure when available disk space is less than the specified quantity. Select to enable (default) or clear to disable. Enter the minimum disk space and unit of measure (Default = 5 GB).

      This parameter applies to the Multi-Domain Server and its Domain Management Servers.

    • Run the following script before cleanup - Enter a predefined script to run before the cleanup starts.
    • Send Alert when free disk space is below - Send an alert when available disk space is less that the specified quantity. Select to enable (default). Clear to disable.

      Enter the minimum disk space and unit of measure (Default = 3 GB).

  5. In the Advanced view, configure these settings:
    • Accept Syslog messages - Include syslog messages in the log files.
    • Stop Logging - Stop all logging activity when the available disk space is less than the specified quantity.

      Enter the minimum disk space and unit of measure (Default = 100 MB).

    • Create a new log file - Close and save the active log file when the active log file is larger than the specified size. The log file has an extension that is a sequential number. You can move these saved log files to external storage or export them to an external database.

      Enter the maximum log file size. (Default = 1 GB).

Log Server Deployment Scenarios

Security Gateways generate logs. The Security Policy on each Security Gateway controls which rules generate log entries. In a Multi-Domain Management environment, the Security Gateways send logs to a Domain Management Server or to Domain Log Servers.

Domain Management Servers and Multi-Domain Servers also generate audit logs. The system typically saves audit logs on a Multi-Domain Server, which automatically synchronizes to other Multi-Domain Servers in a High Availability deployment.

You can use one of these strategies to deploy Domain Log Servers in a Multi-Domain Management environment:

  1. Each Domain has one Domain Log Server on a Multi-Domain Server (default).
  2. Each Domain keeps its Domain Log Servers on one or more Multi-Domain Log Servers. If this Domain has more than one Domain Log Server, you must install each one on a different Multi-Domain Log Server.

    Best Practice - Use this strategy in large, geographically distributed environments.

  3. Each Domain Security Gateway works as the Log Server for its own logs. This is known as local logging.

Using the Log View

This is an example of the Log view.

Item

Description

1

Queries - Predefined and favorite search queries.

2

Time Period - Search with predefined custom time periods.

3

Query search bar - Define custom queries in this field. You can use the GUI tools or manually enter query criteria. Shows the query definition for the most recent query.

4

Log statistics pane (Tab hidden) - Top results of the most recent log query.

5

Log Servers - All Multi-Domain Log Servers, Domain Log Servers, and other Log Server objects in the Multi-Domain Management deployment. Select one or more Log Servers from this list to include in a query.

6

Results pane - All log entries for the most recent query.

Monitoring Multi-Domain Management

R80.x includes many powerful, integrated features that let monitor your Multi-Domain Management environment directly in SmartConsole. Additionally, you can use the SmartView Monitor client application to work with advanced monitor features, such as:

Monitoring Multi-Domain Server Status

To see status and general information for Multi-Domain Servers or Multi-Domain Log Servers, select Multi-Domain in the SmartConsole Multi-Domain Management window. This information shows in the System Information area:

You can use SmartView Monitor to see other, detailed status information, such as:

Monitoring Domain Management Server Status

Use the SmartConsole Logs & Monitor view to see Domain and Domain Management Server status. You can also show the combined statistics, in real time, for all Security Gateways in the Domain:

You can apply filters and show different types of graphical displays. You can also save the results to your local computer in these formats:

To see Security Gateway status and monitoring information:

  1. Open the Domain SmartConsole.
  2. Select a Security Gateway.
  3. Click Monitor on the Actions toolbar.

    The Monitor Information window opens.

  4. Use the toolbar to filter data and change the graph type.

Monitoring Security Gateway Status

You can use the SmartConsole Logs & Monitor view to see Security Gateway status and show operational statistics in real time:

You can apply filters and show different types of graphical presentation. You can also save the results to your local computer in these formats:

To see Security Gateway status and monitoring information:

  1. Open the Domain SmartConsole.
  2. Select a Security Gateway.
  3. Click Monitor on the Actions toolbar.

    The Monitor Information window opens.

  4. Use the toolbar to filter data and change the graph type.
04 October 2021
Was this helpful?
Incorrect information Not what I'm looking for Too much information Confusing information
© 2019 Check Point Software Technologies Ltd. All rights reserved.