Logging

In This Section: Log Analysis Sample Log Analysis Using the Log View Working with Logs

Log Analysis

SmartConsole lets you transform log data into security intelligence. Search results are fast and immediately show the log records you need. The Security Gateways send logs to the Log Servers on the Security Management Server or on a dedicated server. Logs show on the SmartConsole Logs & Monitor Logs tab. You can:

• Quickly search through logs with simple Google-like searches.
• Select from many predefined search queries to find the applicable logs.
• Create your own queries using a powerful query language.
• Monitor logs from administrator activity and connections in real-time.

Sample Log Analysis

This is a sample procedure that shows how to do an analysis of a log of a dropped connection.

To show a log of a dropped connection:

1. Log into SmartConsole.
2. Connect to the IP address of the Security Management Server, not to a Log Server.
3. In the Access Control view, select a rule with the Drop action.
4. In the bottom pane, click Logs.

   This shows the logs for connections that were dropped by the Rule Base.

5. Double-click a log.

   The Log Details window opens.

Using the Log View

This is an example of the Log view.

Item	Description
1	Queries - Predefined and favorite search queries.
2	Time Period - Search with predefined custom time periods.
3	Query search bar - Define custom queries in this field. You can use the GUI tools or manually enter query criteria. Shows the query definition for the most recent query.
4	Log statistics pane - Shows top results of the most recent query.
5	Results pane - Shows log entries for the most recent query.

Working with Logs

In This Section: Choosing Rules to Track Viewing Rule Logs Searching the Logs Query Language Overview

Choosing Rules to Track

Logs are useful if they show the traffic patterns you are interested in. Make sure your Security Policy tracks all necessary rules. But when you track multiple rules, the log file will be large, and will require more disk space and management operations.

To balance these requirements, track rules that can help you improve your network security, help you understand of user behavior, and are useful in reports.

Configuring Tracking in a policy Rule

To configure tracking in a rule:

1. Right-click in the Track column.
2. Select a tracking option.
3. Install the policy.

Tracking Options

• Network Log - Generates a log with only basic Firewall information: Source, Destination, Source Port, Destination Port, and Protocol.
• Log - Equivalent to the Network Log option, but also includes the application name (for example, Dropbox), and application information (for example, the URL of the Website). This is the default Tracking option.
• Full Log - Equivalent to the log option, but also records data for each URL request made.
  • If suppression is not selected, it generates a complete log (as defined in pre-R80 management).
  • If suppression is selected, it generates an extended log (as defined in pre-R80 management).
• None - Do not generate a log.

You can add these options to a Log, Full Log, or Network Log:

• Accounting - If selected, update the log every 10 minutes, to show how much data has passed in the connection: Upload bytes, Download bytes, and browse time.
• Suppression - If selected, one log is generated every three hours for all the connections.

Alert:

If an Alert is selected, Log is selected automatically.

• None - Do not generate an alert.
• Alert - Generate a log and run a command, such as: Show a popup window, send an email alert or an SNMP trap alert, or run a user-defined script as defined in the Menu > Global Properties > Log and Alert > Alerts.
• SNMP - Send an SNMP alert to the SNMP GUI, or run the script defined in: Menu > Global Properties > Log and Alert > Alerts.
• Mail - Send an email to the administrator, or run the mail alert script defined in: Menu > Global Properties > Log and Alert > Alerts.
• User Defined Alert - Send one of three possible customized alerts. The alerts are defined by the scripts specified in the Menu > Global Properties > Log and Alert > Alerts.

Viewing Rule Logs

You can search for the logs that are generated by a specified rule, from the Security Policy or from the Logs & Monitor > Logs tab

To see logs generated by a rule (from the Security Policy):

1. In SmartConsole, go to the Security Policies view.
2. In the Access Control Policy or Threat Prevention Policy, select a rule.
3. In the bottom pane, click one of these tabs to see:
   • Summary - Rule name, rule action, rule creation information, and the hit count. Add custom information about the rule.
   • Details (Access Control Policy only) - Details for each column. Select columns as necessary.
   • Logs - Log entries according to filter criteria - Source, Destination, Blade, Action, Service, Port, Source Port, Rule (Current rule is the default), Origin, User, or Other Fields.
   • History (Access Control Policy only) - List of rule operations in chronological order, with the information about the rule type and the administrator that made the change.

To see logs generated by a rule (by Searching the Logs):

1. In SmartConsole, go to the Security Policies view.
2. In the Access Control Policy or Threat Prevention Policy, select a rule.
3. Right-click the rule number and select Copy Rule UID.
4. In the Logs & Monitor > Logs tab, search for the logs in one of these ways:
   • Paste the Rule UID into the query search bar and press Enter.
   • For faster results, use this syntax in the query search bar:

     layer_uuid_rule_uuid:*_<UID>

     For example, paste this into the query search bar and press Enter:

     layer_uuid_rule_uuid:*_46f0ee3b-026d-45b0-b7f0-5d71f6d8eb10

Searching the Logs

SmartConsole lets you quickly and easily search the logs with many predefined log queries, and an easy to use language for custom queries.

Running Queries

To create and run a query:

1. In the query search bar, click Enter Search Query (Ctrl+F).
2. Enter or select query criteria.

   The query runs automatically. When you add more criteria, results are updated dynamically.

To manually refresh your query:

Click Refresh (F5).

To continuously refresh your query (Auto-Refresh):

Click Auto-Refresh (F6). The icon is highlighted when Auto-Refresh is enabled.

The query continues to update every five seconds while Auto-Refresh is enabled. If the number of logs exceeds 100 in a five-second period, the logs are aggregated, and the summary view shows. To see all logs that have been aggregated in a specific time interval, click View.

Showing Query Results

Query results can include tens of thousands of log records. To prevent performance degradation, SmartConsole only shows the first set of results in the Results pane. Typically, this is a set of 50 results.

Scroll down to show more results. As you scroll down, SmartConsole extracts more records from the log index on the Security Management Server or Log Server, and adds them to the results set. See the number of results above the Results pane.

For example, on the first run of a query, you can see the first 50 results out of over 150,000 results. When you scroll down, you can see the first 100 results out of over 150,000.

Customizing the Results Pane

By default, SmartConsole shows a predefined set of columns and information based on the selected blade in your query. This is known as the Column Profile. For example:

• The DLP column profile includes columns for: Blade, Type, DLP Incident UID, and severity.
• The Threat Prevention column profile includes columns for: Origin, Action, Severity, and Source User.

If no blade is specified, a column profile is assigned based on the blade that occurs most frequently in the query results. This is called Automatic Profile Selection, and is enabled by default.

The Column Profile defines which columns show in the Results Pane and in which sequence. You can change the Column Profile as necessary for your environment.

To use the default Column Profile assignments:

• Right-click a column heading and select Columns Profile > Automatic Profile Selection.

To manually assign Column Profile assignments by default:

• Right-click a column heading and select Columns Profile > Manual Profile Selection.

To manually assign a different Column Profile:

1. Right-click a column heading and select Columns Profile.
2. Select a Column Profile from the options menu.

To change a Column Profile:

1. Right-click a column heading and select Columns Profile > Edit Profile.
2. In the Show Fields window, select a Column Profile to change.
3. Select fields to add from the Available Fields column.
4. Click Add.
5. Select fields to remove from the Selected Fields column.
6. Click Remove.
7. Select a field in the Selected Fields.
8. Click Move Up or Move Down to change its position in the Results Pane.
9. Double-click the Width column to change the default column width for the selected field.
10. To change the column width, drag the right column border in the Results Pane.
11. To save the column width, right-click and select Save Profile.

    The column is applicable to future sessions.

Creating Custom Queries

Queries can include one or more criteria. To create custom queries, use one or a combination of these basic procedures:

• Right-click columns in the grid view and select Add Filter.
• Click in the Query search bar and select the fields and filter criteria for those fields.
• Manually enter filter criteria in the Query search bar.

To create a new custom query, run an existing query, and use one of these procedures to change it. You can save the new query in the Favorites list.

When you create complex queries, the log search tool suggests, or automatically enters, an appropriate Boolean operator. This can be an implied AND operator, which does not explicitly show.

Selecting Query Fields

You can enter query criteria directly from the Query search bar.

To select field criteria:

1. If you start a new query, click Clear to remove query definitions.
2. Put the cursor in the Query search bar.
3. Select a criterion from the drop-down list or enter the criteria in the Query search bar.

   The query runs automatically.

Selecting Criteria from Grid Columns

You can use the column headings in the Grid view to select query criteria. This option is not available in the Table view.

To select query criteria from grid columns:

1. In the Results pane, right-click on a column heading.
2. Select Add Filter.
3. Select or enter the filter criteria.
   The criteria show in the Query search bar and the query runs automatically.

To enter more criteria, use this procedure or other procedures.

Manually Entering Query Criteria

You can type query criteria directly in the Query search bar. You can manually create a new query or make changes to an existing query that shows in the Query search bar.

As you type, the Search shows recently used query criteria or full queries. This helps you to search. To use these suggestions, select them from the drop-down list. If you make a syntax error in a query, the Search shows a helpful error message that identifies the error and suggests a solution.

Query Language Overview

A powerful query language lets you show only selected records from the log files, according to your criteria. To create complex queries, use Boolean operators, wildcards, fields, and ranges. This section refers in detail to the query language.

When you use the GUI to create a query, the applicable criteria show in the Query search bar.

The basic query syntax is [<Field>:] <Filter Criterion>.

To put together many criteria in one query, use Boolean operators:

[<Field>:] <Filter Criterion> AND|OR|NOT [<Field>:] <Filter Criterion> ...

Most query keywords and filter criteria are not case sensitive, but there are some exceptions. For example, Risk:High is case sensitive (Risk:high does not match). If your query results do not show the expected results, change the case of your query criteria, or try upper and lower case.

When you use queries with more than one criteria value, enter a Boolean operator.

Criteria Values

Criteria values are written as one or more text strings. You can enter one text string, such as a word, IP address, or URL, without delimiters. Phrases or text strings that contain more than one word must be surrounded by quotation marks.

One word string examples:

• John
• inbound
• 192.168.2.1
• mahler.ts.example.com
• dns_udp

Phrase examples

• "John Doe"
• "Log Out"
• "VPN-1 Embedded Connector"

IP Addresses

IPv4 and IPv6 addresses used in log queries are counted as one word. Enter IPv4 address with dotted decimal notation and IPv6 addresses with colons. You can also use the '*' wildcard character with IP addresses.

Example:

• 192.0.2.1
• 2001:db8::f00:d

NOT Values

You can use NOT <field> values with field keywords in log queries to find logs for which the value of the field is not the value in the query.

Syntax

NOT <field>:<value>

Example

NOT src:10.0.4.10

Wildcards

You can use the standard wildcard characters (* and ?) in queries to match variable characters or strings in log records. The wildcard character cannot be the first character in a query criterion. You can use more than the wildcard character.

Wildcard syntax

• The ? (question mark) matches one character.
• The * (asterisk) matches a character string.

Examples:

• Jo? shows Joe and Jon, but not Joseph.
• Jo* shows Jon, Joseph, and John Paul.

If your criteria value contains more than one word, you can use the wildcard in each word. For example, 'Jo* N*' shows Joe North, John Natt, Joshua Named, and so on.

Using Wildcards with IP Addresses

The wildcard character is useful when used with IPv4 addresses. It is a best practice to put the wildcard character after an IP address delimiter.

Examples:

• 192.168.2.* shows all records for 192.168.2.0 to 192.168.2.255 inclusive
• 192.168.* shows all records for 192.168.0.0 to 192.168.255.255 inclusive

Field Keywords

You can use predefined field names as keywords in filter criteria. The query result only shows log records that match the criteria in the specified field. If you do not use field names, the query result shows records that match the criteria in all fields.

This table shows the predefined field keywords. Some fields also support keyword aliases that you can type as alternatives to the primary keyword.

Keyword	Keyword Alias	Description
severity		Severity of the event
risk		Potential risk from the event
protection		Name of the protection
protection_type		Type of protection
confidence level		Level of confidence that an event is malicious
action		Action taken by a security rule
blade	product	Software Blade
destination	dst	Traffic destination IP address, DNS name or Check Point network object name
origin	orig	Name of originating Security Gateway
service		Service that generated the log entry
source	src	Traffic source IP address, DNS name or Check Point network object name
user		User name

Syntax for a field name query:

<field name>:<values>|(<value><operator><value>)

Examples:

• source:192.168.2.1
• action:(Reject OR Block)

  You can use the OR Boolean operator in parentheses to include multiple criteria values.

Important - When you use fields with multiple values, you must:

• Write the Boolean operator, for example AND.
• Use parentheses.

Boolean Operators

You can use the Boolean operators AND, OR, and NOT to create filters with many different criteria. You can put multiple Boolean expressions in parentheses.

If you enter more than one criteria without a Boolean operator, the AND operator is implied. When you use multiple criteria without parentheses, the OR operator is applied before the AND operator.

Examples:

• blade:"application control" AND action:block
  Shows log records from the Application & URL Filtering Software Blade where traffic was blocked.
• 192.168.2.133 10.19.136.101
  Shows log entries that match the two IP addresses. The AND operator is presumed.
• 192.168.2.133 OR 10.19.136.101
  Shows log entries that match one of the IP addresses.
• (blade:Firewall OR blade:IPS OR blade:VPN) AND NOT action:drop
  Shows all log entries from the Firewall, IPS or VPN blades that are not dropped. The criteria in the parentheses are applied before the AND NOT criterion.
• source:(192.168.2.1 OR 192.168.2.2) AND destination:17.168.8.2
  Shows log entries from the two source IP addresses if the destination IP address is 17.168.8.2. This example also shows how you can use Boolean operators with field criteria.