Print Download PDF Send Feedback

Previous

Next

Getting Started

In This Section:

Logging and Monitoring Clients

Understanding Logging

Deploying Logging

Deploying SmartEvent

Administrator Permission Profiles

Importing Offline Log Files

This section introduces the logging and monitoring clients, and explains how to install and configure logging and monitoring products.

Logging and Monitoring Clients

Monitor logs and events using customizable views and reports. Use these GUI clients:

SmartConsole >
Logs & Monitor

Analyze events that occur in your environment with customizable views and reports.

The Logs view replaces the SmartView Tracker and SmartLog SmartConsole GUI clients.

SmartView Web Application

A SmartEvent Web application. It has the same real-time event monitoring and analysis views as SmartConsole, with the convenience of not having to install a client.

Browse to: https://<Server IP>/smartview/ where Server IP is IP address of the Security Management Server or SmartEvent server.

These GUI clients are still supported:

SmartEvent
  • For initial settings - configure the Correlation Unit, Log Servers, Domains and Internal Network.
  • To configure the SmartEvent Correlation Unit
  • For the correlation policy (event definitions)
  • For Automatic Reactions

SmartView Monitor
  • To monitor tunnels
  • To monitor users
  • For suspicious activity rules
  • To monitor alerts - Thresholds configuration

For more about monitoring, see Monitoring Traffic and Connections.

To open the SmartEvent GUI client:

  1. Open SmartConsole > Logs & Monitor.
  2. Click (+) for a Catalog (new tab).
  3. Click SmartEvent Settings & Policy.

To open the SmartView Monitor GUI client:

  1. Open SmartConsole > Logs & Monitor.
  2. Click (+) for a Catalog (new tab).
  3. Click Tunnel & User Monitoring.

Understanding Logging

Security Gateways generate logs, and the Security Management Server generates audit logs. The Security Policy that is installed on each Security Gateway determines which rules generate logs.

Logs can be stored on a:

To find out how much storage is necessary for logging, see sk87263.

In a Multi-Domain Security Management environment, the Security Gateways send logs to the Domain Server or to dedicated Domain Log Servers. The Multi-Domain Server generates logs, and they can be stored on the Multi-Domain Server or on a dedicated Multi-Domain Log Server. To learn how to deploy logging in a Multi-Domain Security Management environment, see the R80 Multi-Domain Security Management Administration Guide.

To decrease the load on the Security Management Server, you can install a dedicated Log Server and configure the gateways to send their logs to this Log Server. To see the logs from all the Log Servers, connect to the Security Management Server with SmartConsole, and go to the Logs & Monitor view Logs tab.

A Log Server handles log management activities:

Deploying Logging

You can enable logging on the Security Management Server, or deploy a dedicated Log Server. After you deploy the Log Server, you must configure the Security Gateways for logging

In This Section

Enabling Logging on the Security Management Server

Deploying a Dedicated Log Server

Configuring the Security Gateways for Logging

Enabling Log Indexing

Disabling Log Indexing

Enabling Logging on the Security Management Server

  1. Open SmartConsole.
  2. Edit the network object of the Security Management Server.
  3. In the General Properties page, enable Logging & Status.
  4. In the SmartConsole main toolbar, click Publish.

Deploying a Dedicated Log Server

To deploy a dedicated Log Server, you must install it, and then connect it to the Security Management Server.

Installing a Dedicated Log Server

  1. Download the R80 installation ISO file.
  2. Install the ISO on the appliance or open server.
  3. Reboot when prompted.
  4. Connect to the WebUI of the Log Server:
    https://<ServerIP>
  5. Run the First Time Configuration Wizard.
  6. On the Installation Type page, select Security Management.
  7. On the Products page:
    • On a Smart-1 appliance, select Dedicated Server and SmartEvent.
    • On an open server, select Log Server/SmartEvent only.

Connecting the Dedicated Log Server to the Security Management Server

You can connect the R80 Log Server to an R80 Security Management Server.

To connect the R80 Log Server to an R80 Security Management Server:

  1. In SmartConsole, create a new Check Point host object for the Log Server.
  2. Create SIC trust with the Log Server.
  3. Select Version R80.
  4. In the General Properties page Management tab, enable Logging & Status.
  5. Click Publish.
  6. In the Menu, click Install Database.

Configuring the Security Gateways for Logging

Security Gateways can store their logs on:

To configure a Security Gateway for logging:

  1. Open SmartConsole.
  2. In the Gateways & Servers view, double-click the gateway object.

    The Check Point Gateway window opens.

  3. From the navigation tree, click Logs.
  4. Configure where to send logs:
    • To save logs to the Security Management Server -
      Select Send gateway logs to server.
    • To save logs to a dedicated Log Server -
      Select the Log Server from the list.
    • To save logs locally -
      Select Save logs locally, on this machine.
  5. Click OK.
  6. Click Publish.
  7. Install a policy on the Security Gateway.

Enabling Log Indexing

Log indexing on the Security Management Server or Log Server reduces the time it takes to run a query on the logs. Log indexing is enabled by default.

To manually enable Log Indexing:

  1. Open SmartConsole.
  2. From the Gateways & Servers view, double-click the Security Management Server or Domain Log Server object.

    The General Properties window opens.

  3. In the Management tab, select Logging & Status.
  4. From the navigation tree, click Logs.
  5. Select Enable Log Indexing.
  6. Click OK.
  7. Click Publish.
  8. From Menu, select Install Database.

Disabling Log Indexing

To save disk storage space, a Log Server can be configured to work in non-index mode. If you disable log indexing, queries will take longer. You must disable it on all management and Log Server objects in the environment. You are not allowed to have some Log Servers in index mode and other Log Servers in non-index mode.

When log indexing is disabled, you must connect with SmartConsole to each Log Server separately to query its logs. When you connect to the management server you do not get a unified view of all logs, as in index mode. On each Log Server, the search is done in one log file at a time.

Note - You cannot enable SmartEvent or a SmartEvent Correlation Unit on a Log Server on which indexing is disabled, or on other server in the environment. SmartEvent and Correlation Units require indexing.

To disable Log Indexing:

  1. Open SmartConsole.
  2. From the Gateways & Servers view, double-click the Security Management Server or Domain Log Server object.

    The General Properties window opens.

  3. From the navigation tree, click Logs.
  4. Clear the Enable Log Indexing option.
  5. Click OK.
  6. Click Publish.
  7. From Menu, select Install Database.

To select a log file to search:

  1. Connect SmartConsole to the Log Server.
  2. Open Logs & Monitor > Logs view.
  3. Click the Options menu button to the right of the search bar.
  4. Select File > Open Log File.

Deploying SmartEvent

SmartEvent Server is integrated with the Security Management Server architecture. It communicates with Security Management Log Servers to read and analyze logs. You can enable SmartEvent on the Security Management Server or deploy it as a dedicated server.

You can deploy R80 SmartEvent on a dedicated server and connect it to Security Management Servers or Multi Domain servers of version R77.xx (or earlier). This lets you extend an R77.xx environment with the new capabilities of R80 SmartEvent.

Only a Security Management Server can also work as a SmartEvent Server. In a Multi-domain environment, you must install SmartEvent on a dedicated server.

Note - For R80, SmartReporter functionality (to generate reports on firewall and VPN activity) is integrated into SmartConsole. To enable this functionality, activate the firewall session event on the SmartEvent Policy tab. Select and enable Consolidated Sessions > Firewall Session. For more, see Connecting SmartEvent Server to a Security Management Server.

in This Section:

SmartEvent Licensing

System Requirements

Enabling SmartEvent on the Security Management Server

Installing a Dedicated SmartEvent Server

Configuring the SmartEvent components in the First Time Configuration Wizard

Connecting R80 SmartEvent to R80 Security Management Server

Connecting R80 SmartEvent to R77.xx Security Management Server

Connecting R80 SmartEvent to R80 Multi-Domain Server

Connecting R80 SmartEvent to R77.xx Multi-Domain Server

Configuring SmartEvent to use a Non-Standard LEA Port

Configuring SmartEvent to read External Logs

SmartEvent Licensing

To deploy SmartEvent, you need a special license or contract. To get an evaluation license, contact your sales representative. SmartEvent Server installed on an open server comes with a 45 day trial period.

Check Point software is activated with a License Key. To generate a License Key, you need a Certificate Key.

System Requirements

To use SmartEvent, see the requirements in the R80 Release Notes.

Enabling SmartEvent on the Security Management Server

  1. Open SmartConsole
  2. Open the Security Management Server network object.
  3. On the Management tab, enable these Software Blades:
    • Logging & Status
    • SmartEvent Server
    • SmartEvent Correlation Unit
  4. In the SmartConsole main toolbar, click Publish.
  5. Optional: activate the firewall session for the network activity report.

    The Network Activity report gives information about Firewall connections. For example, top sources, destinations, and services. To create this report, the SmartEvent must make an index of the Firewall logs.

    To enable this report, on the SmartEvent GUI Policy tab, select and enable
    Consolidated Sessions > Firewall Session.

    Note: This configuration increases the number of events a day by five. This can have a performance effect.

Installing a Dedicated SmartEvent Server

  1. Download the installation ISO file.
  2. Install the ISO on the open server or appliance.

    Allocate partition size:

    • Root partition: at least 20 GB
    • Logs partition: more than allocated for Root and backup (set maximum possible) to let the server keep a long history.
  3. When prompted, reboot.

Configuring the SmartEvent components in the First Time Configuration Wizard

Configure the components of the dedicated server for SmartEvent on a Smart-1 appliance, or on an open server.

To configure the SmartEvent components:

  1. Connect to the SmartEvent Server WebUI:
    https://<ServerIP>
  2. Run the First Time Configuration Wizard.

    To learn how to run the First Time Configuration Wizard, see the R80 Installation and Upgrade Guide.

  3. On the Installation Type page, select Security Management.
  4. On the Products page:
    • On a Smart-1 , select Dedicated Server and SmartEvent.
    • On an open server select Log Server / SmartEvent only
  5. Install the R80 SmartConsole GUI client.

    R80 SmartConsole has the Logs & Monitor catalog of views, which includes the views in the SmartEvent GUI.

Connecting R80 SmartEvent to R80 Security Management Server

This procedure explains how to configure a dedicated server for these components:

To connect R80 SmartEvent Server and Correlation Unit to R80 Security Management Server:

  1. In SmartConsole, create a new Check Point host object for the SmartEvent Server.
  2. Create an SIC trust with the SmartEvent Server.
  3. Select Version R80.
  4. On the Management tab, enable these Software Blades:
    • Logging & Status
    • SmartEvent Server (if applicable)
    • SmartEvent Correlation Unit
  5. On a dedicated SmartEvent Server that is not a Log Server: In the Logs page, make sure that Enable Log Indexing is not selected. This ensures that Firewall connections (which are not relevant for views and reports) are not indexed.
  6. Click OK.
  7. Click Publish.
  8. Click Install Database.
  9. Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit:
    1. Open the SmartEvent GUI:
      1. In SmartConsole > Logs & Monitor, click + to open a catalog (new tab).
      2. Click SmartEvent Settings & Policy.
    2. In Policy tab > Correlation Units, define a Correlation Unit object.
    3. Select the production Log Servers and local log server on the SmartEvent Server to read logs from.
    4. In Policy tab > Internal Network, define the internal Network.
    5. For R77.xx and lower Gateways: Optional - Enable the Network Activity report.

      The Network Activity report gives information about Firewall connections. For example, top sources, destinations, and services. To create this report, SmartEvent must make an index of the Firewall logs.

      To enable this report, on the SmartEvent GUI Policy tab, select and enable
      Consolidated Sessions > Firewall Session.

    6. Click Save.
    7. Install the Event Policy on the Correlation Unit: SmartEvent menu > Actions > Install Event Policy.

Connecting R80 SmartEvent to R77.xx Security Management Server

This procedure explains how to configure a dedicated server for these components:

To connect R80 SmartEvent Server and Correlation Unit to an R77.xx Security Management Server:

  1. Open an SSH connection to the SmartEvent Server.
  2. Run this script:
    $RTDIR/scripts/SmartEvent_R80_change_dbsync_mode.sh
  3. Wait until the script has finished running. This is when cpstart has finished and you have a prompt.
  4. Run: cpconfig
  5. Select (2) Administrator to configure the SmartEvent Server administrators.

    Note – Administrators that are configured in R77.xx SmartDashboard cannot manage the R80 SmartEvent Server.

  6. In SmartConsole, create a Check Point Host object for the SmartEvent Server R80.
  7. Open the R77.xx SmartDashboard.
  8. Create an SIC trust between the Security Management Server and the new server for SmartEvent R80.
  9. Define it with the highest version available and ignore the Warning message.
  10. For a dedicated SmartEvent Correlation Unit that is not a SmartEvent Server: In the Logs page, click Enable Log Indexing.
  11. In the Check Point Host > Management tab, enable these Software Blades:
    • Logging & Status
    • SmartEvent Server (if applicable)
    • SmartEvent Correlation Unit
  12. Click OK.
  13. Click File > Policies > Install Database.
  14. Wait until the server synchronizes and loads SmartEvent
  15. Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit:
    1. Open the R80 SmartConsole to the IP address of the SmartEvent Server:
      1. In SmartConsole > Logs & Monitor, click + to open a catalog (new tab).
      2. Click SmartEvent Settings & Policy.
    2. In Policy tab > Correlation Units, define a SmartEvent Correlation Unit object.
    3. Select the production Log Servers and local Log Server on the SmartEvent Server that will send logs to the SmartEvent Correlation Unit.
    4. In Policy tab > Internal Network, define the internal Network.
    5. Optional: For R77.30 Gateways and lower - Enable the Network Activity report.

      The Network Activity report gives information about Firewall connections. For example, top sources, destinations, and services. To create this report, SmartEvent must make an index of the Firewall logs.

      To enable this report, on the SmartEvent GUI Policy tab, select and enable
      Consolidated Sessions > Firewall Session.

      Note: This configuration increases the number of events a day by five. This can have a performance effect.

    6. Click Save.
    7. Install the Event Policy on the SmartEvent Correlation Unit: SmartEvent menu > Actions > Install Event Policy.

Connecting R80 SmartEvent to R80 Multi-Domain Server

You can configure a dedicated R80 server for SmartEvent components, and connect them to one or more Domains in an R80 Multi-Domain Security Management environment.

This procedure explains how to configure a dedicated server for these SmartEvent components:

Notes:

To connect R80 SmartEvent Server and Correlation Unit to an R80 Multi-Domain Server:

  1. Open SmartConsole.
  2. Log in to the global Domain:
    • In the SmartConsole login window, enter the Multi-Domain Server IP address or host name.
    • Select the global Domain from the list (\Global).
  3. Create a Check Point Host object for SmartEvent R80.
  4. In the Check Point Host > Management, select these Management Blades:
    • Logging & Status
    • SmartEvent Server (if applicable)
    • SmartEvent Correlation Unit
  5. Initialize SIC with the new SmartEvent R80 Server.
  6. Click OK.
  7. Click Publish.
  8. Reassign the global Policy for the Domains that use SmartEvent. For new Domains, create a new global assignment.
  9. In each Domain Server, open SmartConsole.
  10. Click Menu > Install Database , on each Domain Server and Domain Log Servers.
  11. Wait until the server synchronizes and loads SmartEvent process.
  12. Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit:
    1. Open SmartConsole and connect to the SmartEvent Server.
    2. Launch the SmartEvent GUI client:
      1. In the Logs & Monitor view, click on + to open a catalog (new tab).
      2. Click the SmartEvent Settings & Policy link.

      Note - The primary GUI application is the R80 SmartConsole. With R80, some configurations can be done only in the SmartEvent GUI client.

    3. If SmartEvent is connected to a Multi-Domain Server, in Policy tab > Domains, define the required domains to connect to.
    4. In Policy tab > Correlation Units, define a SmartEvent Correlation Unit object.
    5. Select the production Log Servers and local Log Server on the SmartEvent Server to read logs from.
    6. In Policy tab > Internal Network, define the internal Network.
    7. Optional: Enable the Network Activity report.

      The Network Activity report gives information about Firewall connections. For example, top sources, destinations, and services. To create this report, SmartEvent must make an index of the Firewall logs.

      To enable this report, on the SmartEvent GUI Policy tab, select and enable
      Consolidated Sessions > Firewall Session.

      Note: This configuration increases the number of events a day by five. This can have a performance effect.

    8. Click Save.
    9. Install the Event Policy on the Correlation Unit: SmartEvent menu > Actions > Install Event Policy.

Connecting R80 SmartEvent to R77.xx Multi-Domain Server

You can connect R80 SmartEvent components to one or more Domains in an R77.xx Multi-Domain Security Management environment.

This procedure explains how to configure a dedicated server for these components:

Configure SmartEvent to read logs from one domain or a number of domains.

To connect R80 SmartEvent Server and Correlation Unit to an R77.xx Multi-Domain Server:

  1. Open an SSH connection to the Correlation Unit server.
  2. Run this script: $RTDIR/scripts/SmartEvent_R80_change_dbsync_mode.sh
  3. Wait until the script has finished running. This is when cpstart has finished and you have a prompt.
  4. Open R77.xx SmartConsole for Multi-Domain Security.
  5. Log in to the global Domain:
  6. Create a Check Point Host object for the dedicated server for SmartEvent Server R80. Define it with the highest version possible, and ignore the Warning message.
  7. In the Check Point Host > Management, select these Management Blades:
    • Logging & Status
    • SmartEvent Server (if applicable)
    • SmartEvent Correlation Unit
  8. Initialize SIC between the Multi-Domain Server and the new server for SmartEvent R80.
  9. For a dedicated SmartEvent Correlation Unit that is not a SmartEvent Server: In the Logs page, click Enable Log Indexing.
  10. Click OK.
  11. Click Save.
  12. Reassign the global Policy for the Domains that use SmartEvent. For new Domains, create a new global assignment.
  13. In each Domain Server, open SmartConsole.
  14. Click Menu > Install Database, on each <tp_cms> and Domain Log Server.
  15. Wait until the server synchronizes and loads SmartEvent.
  16. Advanced Configuration for a dedicated SmartEvent Server that is also a Correlation Unit:
    1. Open R80 SmartConsole.
    2. Launch the SmartEvent GUI client.
      1. In the Logs & Monitor view, click on + to open a catalog (new tab).
      2. Click the SmartEvent Settings & Policy link.

      Note - The primary GUI application is the R80 SmartConsole. With R80, some configurations can be done only in the SmartEvent GUI client.

    3. If SmartEvent is connected to a Multi-Domain Server, in Policy tab > Domains, define the required domains to connect to.
    4. In Policy tab > Correlation Units, define a Correlation Unit object.
    5. Select the production Log Servers and local log server on the SmartEvent Server to read logs from.
    6. In Policy tab > Internal Network, define the internal Network.
    7. For R77.xx and lower Gateways: Optional - Enable the Network Activity report.

      The Network Activity report gives information about Firewall connections. For example, top sources, destinations, and services. To create this report, SmartEvent must make an index of the Firewall logs.

      To enable this report, on the SmartEvent GUI Policy tab, select and enable
      Consolidated Sessions > Firewall Session.

      Note: This configuration increases the number of events a day by five. This can have a performance effect.

    8. Click Save.
    9. Install the Event Policy on the Correlation Unit: SmartEvent menu > Actions > Install Event Policy.

Configuring SmartEvent to use a Non-Standard LEA Port

You can get logs from and send logs to a third-party Log Server. The Check Point Log Server and the third party Log Server use the LEA (Log Export API) protocol to read logs. By default, the Check Point Log Server uses port 18184 for this connection. If you configure the Log Server to use a different LEA port, you must manually configure the new port on the SmartEvent Server and on the SmartEvent Correlation Unit.

To change the default LEA port:

  1. Open $INDEXERDIR/log_indexer_custom_settings.conf in a text editor.
  2. Add this line to the file:

    :lea_port (<new_port_number>)

  3. In the SmartEvent client, configure the new port on the Correlation Unit.
  4. In Policy tab > Correlation Units, configure the Correlation Unit to read logs from the local Log Server (on the SmartEvent Server).
  5. Configure the new port on the SmartEvent Server:
    1. In Policy tab > Network Objects, double-click the SmartEvent Server object.
    2. Change the LEA port No. parameter to <new_port_number>.
  6. Install the Event Policy on the Correlation Unit: Actions > Install Event Policy
  7. On the SmartEvent Server:
    1. Run: cpstop
    2. Open $FWDIR/conf/fwopsec.conf in a text editor.
    3. Change these parameters:

      lea_server auth_port <new_port_number>
      lea_server port 0

    4. Run: cpstart

Configuring SmartEvent to read External Logs

To configure SmartEvent to read logs from an externally-managed Log Server or an external Security Management Server, see sk35288.

An externally managed Log Server is managed by a different Security Management Server than the one that manages the SmartEvent Server. An external Security Management Server is not the one that manages the SmartEvent Server.

Administrator Permission Profiles

You can give an administrator permissions for:

To define an administrator with these permissions:

  1. Define an administrator or an administrator group.
  2. Define a Permission Profile with the required permissions in SmartConsole (Manage & Settings > Permission Profiles).
  3. Assign that profile to the administrator or to the administrator group.

Creating an Administrator

To Create an Administrator

  1. In SmartConsole, open Manage & Settings.
  2. Click Administrators.
  3. Click New Administrator.

    The New Administrator window opens.

  4. Enter a name for the administrator.
  5. Select an Authentication method.
  6. In the Permission Profiles area, select a permission profile, or click New and create a permission profile.
  7. In a new profile, in the Overview tab, configure Permissions. If you select Customized, you can select these options for the features:
    • Not selected - The administrator cannot see the feature.

      Note - If you cannot clear a resource selection, the administrator access to it is mandatory, and you cannot make it invisible

    • Selected - The administrator can see the feature.
    • Read - The administrator can see the feature but cannot change it.
    • Write - The administrator can see and change the feature.

    Some resources do not have the Read or Write option. You can only select (for full permissions) or clear (for no permissions) these resources.

  8. Optional: In the Expiration area, define an expiration date for the administrator account.
  9. Optional: In the left of the window:
    1. Click Additional.
    2. Enter the personal information (email, phone number) for the administrator.
  10. Click OK.

Permissions for Monitoring, Logging, Events, and Reports

In the Profile object, select the features and the Read or Write administrator permissions for them.

Monitoring and Logging Features

These are some of the available features:

Events and Reports Features

These are the permissions for the SmartEvent GUI:

Multi-Domain Security Management

In Multi-Domain Security Management, each Event and Report is related to a Domain. Administrators can see events for Domains according to their permissions.

A Multi-Domain Security Management Policy administrator can be:

Locally Managing the Administrator

If you do not want to centrally manage administrators, and you use the local administrator defined for the SmartEvent Server, run this CLI command on the SmartEvent Server:

cpprod_util CPPROD_SetValue FW1 REMOTE_LOGIN 4 1 1

SmartEvent Reports-Only Permission Profile

You can define a special permission profile for administrators that only see and generate SmartEvent reports. With this permission profile, Administrators can open the SmartEvent client, but only see the Reports tab. They cannot access other security information in SmartEvent. You can configure this permissions profile to apply to the Application & URL Filtering blade only, or apply to all blades.

To create a SmartEvent report-only permissions profile:

  1. In SmartConsole, click Manage & Settings > Permissions Profiles.
  2. In the Permission Profiles page, select a permission profile, or click the New button and create a permission profile.
  3. Select Customized.
  4. On the Events and Reports page, select SmartEvent Reports.
  5. Clear all other options.
  6. For SmartEvent Reports option, select All Blades.
  7. On the Access Control, Threat Prevention, and Others pages, clear all options.
  8. On the Monitoring and Logging page, select all features, with Write permissions.
  9. Click OK.

    The profile shows in the Permission Profiles page.

  10. Assign the SmartEvent Reports Only permissions profile to administrators.
  11. Publish the changes.
  12. Install the policy.

Importing Offline Log Files

The administrator can examine logs from a previously generated log file. This makes it possible to review security threats and pattern anomalies that occurred in the past, before SmartEvent was installed. You can investigate threats such as unauthorized scans targeting vulnerable hosts, unauthorized legions, denial of service attacks, network anomalies, and other host-based activity.

The administrator can review logs from a specific time period in the past and focus on deploying resources on threats that have been active for a period of time but may have been missed (for example, new events which may have been dynamically updated can now be processed over the previous period).

Offline Work For Correlated Events

To detect suspicious logging activity (that is, suspicious according to the Event Policy on the SmartEvent GUI > Policy tab), run the offline log file through the Correlation Unit.

The settings to generate of Offline logs are in: SmartEvent GUI client > Policy tab > General Settings > Initial Settings > Offline Jobs, connected to the Security Management Server or Multi-Domain Server.

The settings are:

Importing Log Files from SmartEvent Servers

To import offline log files, add events to the SmartEvent Server. By default, you can import the 14 most recent days of offline logs. To import more days of logs, change the log indexing settings.

To change log indexing settings:

Note - Do this to make it possible to import logs that are older than the last 14 days before the SmartEvent Server was installed.

  1. Run: # evstop
  2. Edit the log settings file log_indexer_custom_settings.conf
    1. Make a backup. Run this command:

      cp $INDEXERDIR/log_indexer_custom_settings.conf $INDEXERDIR/log_indexer_custom_settings.conf_orig

    2. Edit $INDEXERDIR/log_indexer_custom_settings.conf in a text editor.
    3. Delete these lines:

      :time_restriction_for_fetch_all (<existing_data>)
      :time_restriction_for_fetch_all_disp (<existing_data>)

    4. Add this line:

      :num_days_restriction_for_fetch_all_integrated (<days>)

      <days> is the last number of days of logs to be indexed by the SmartEvent Server. For example, to import and index logs from the last 30 days of logs, give a value of 30.

    Note - To decrease the performance effect while you index the offline logs, import only the necessary number of days of logs.

  3. Run: # evstart
  4. In the SmartEvent Server object properties, in the Logs > Storage page, configure Disk Space Management.

To allow the SmartEvent Server to index offline log files:

  1. Copy the log files and related pointer files <log file name>.log* to $FWDIR/log. Copy the files to the Log Server that sends logs to the SmartEvent Server.
  2. Optional: Do an Offline Work for Correlated Events procedure for each log file. This procedure is done to run the log files through the Correlation Unit for correlation analysis according to the Event Policy (defined in SmartEvent GUI client).

    To run SmartEvent offline jobs for multiple log files, see: sk98894.

17 October 2017 © 2017 Check Point Software Technologies Ltd. All rights reserved.