SmartEvent Administration Guide R77 Versions | 73
Offline Log Files
SmartEvent enables an administrator to view existing logs from a previously generated log file.
This feature is designed to enable an administrator to review security threats and pattern
anomalies that appeared in the past. As a result, an administrator can investigate threats (for
example, unauthorized scans targeting vulnerable hosts, unauthorized legions, denial of service
attacks, network anomalies, and other host-based activity) before SmartEvent was installed.
In the same respect, an administrator can review logs from a specific time period in the past and
focus on deploying resources on threats that have been active for a period of time but may have
been missed (for example, new events which may have been dynamically updated can now be
processed over the previous period).
The generation of Offline logs are set in the SmartEvent > Policy tab > General Settings > Initial
Settings > Offline Jobs, connected to the Security Management Server or Multi-Domain Server
with the following options:
• Add enables you to configure an Offline Log File process.
• Name acts as a label that enables you to recognize the specific Offline Line log file for
future processing. For example, you can create a query according to the Offline Job name.
This name is used in Event tab queries to search events that have been generated by this
• Comment contains a description of the Offline Job for edification.
• Offline Job Parameters:
SmartEvent Correlation Unit the machine that reads and processes the Offline Logs.
Log Server the machine that contains the Offline Log files. SmartEvent will query this Log
Server to see which log files are available.
Log File contains a list of available of log files found on the selected Log Server to be
processed by the SmartEvent Correlation Unit. In this window you select the log file from
which you would like to retrieve historical information.
• Edit enables you to modify the parameters of an Offline Log File process.
• Remove enables you to delete an Offline Log File process.
Once you Start an Offline Log File process you cannot remove it.
• Start runs the Offline Log File process.
The results of this process appear in the Events tab and are accessible by the By Job Name
query or filter.
• Stop ends the Offline Log Files process.
• Stop does not delete the entire process, it only stops the process at the specific point at which
it is selected. The information collected up until the process is stopped will appear in the
With the SmartEvent Events Tab you can add offline jobs to query events generated by offline jobs.
To add the offline jobs:
1. Select the Events Tab.
2. Go to Predefined > By Job Name.
3. Double-click By Job Name.
Every job that appears in this window is an offline job except for All online jobs.
4. Select the job you want the By Job Name to query.
5. Click OK.
C# PowerPoint - How to Process PowerPoint
Visual C# Codes to Process PowerPoint Slide; PowerPoint C#.NET Processor. C#.NET PowerPoint: Process and Edit PowerPoint Slide(s). adding pdf to powerpoint slide; conversion of pdf into ppt
SmartEvent Administration Guide R77 Versions | 74
Configuring Custom Commands
To add (or edit) custom commands:
1. In the SmartEvent GUI, select Actions > Configure Custom Commands.
2. To add a command, select Add…. (To edit an existing command, highlight the command and
3. Enter the text to appear in the right-click context menu.
4. Enter the command to run, and any arguments.
5. Configure the command to run in a SmartEvent window or in a separate Windows command
6. Select whether the command should appear in the context menu only when right-clicking in
cells with IP address data.
7. Select OK.
Creating Automatic Reactions
Creating an External Script Automatic Reaction (on page
Managing the Event Database
SmartEvent uses an optimization algorithm to manage disk space and other system resources.
When the Events database becomes too large, the oldest events are automatically deleted to save
space. In addition, events that are more than one year old are also automatically deleted.
For instructions to change maximum period and maximum database size to save past events in
the Events database see sk69706 http://supportcontent.checkpoint.com/solutions?id=sk69706
Backup and Restore of the Events Database
The evs_backup utility backs up the SmartEvent configuration files and places them in a
compressed tar file. In addition, it backs up data files based upon the options selected. The files
can be restored using the evs_backup_extractor script. Enclosed are two script versions, one for
Windows that has a .bat suffix and one for Solaris, Linux and SecurePlatform that does not have a
suffix but should have the executable permissions set.
evs_backup [-filename file.tgz] [-EvaDb] [-EvrDb] [-Results] [-Logs]
Additional options are:
Copy the SmartEvent events database
Copy the SmartReporter consolidation database
SmartEvent Administration Guide R77 Versions | 75
Copy the SmartReporter results
Copy the SmartEvent error logs
Copy the logo file and the distribution script
Runs a evr_addon_export, for a different file name use -filename
Select all options
SmartEvent High Availability Environment
The SmartEvent database keeps a synchronized copy of management objects locally on the
SmartEvent Server. This process, dbsync, allows SmartEvent to work independently of different
management versions and different management servers in a High Availability environment.
Management High Availability capability exists for Security Management Servers, and in a
Multi-Domain Security Management environment, dbsync supports High Availability for the
Multi-Domain Servers and the Domain Management Servers.
How it works
Dbsync initially connects to the management server with which SIC is established. It retrieves all
the objects and after the initial synchronization it gets updates whenever an object is saved. At this
point, dbsync registers all the High Availability management machines and periodically tests the
connectivity with the current management server. If connectivity is lost, it attempts to connect to
the other High Availability management servers until it finds an active one and connects to it.
If two management servers are active concurrently, dbsync will remain connected to one
management server and will not receive any changes made on the other management server until
a synchronization operation is performed.
Log Server High Availability
In SmartDashboard, it is possible to configure a Security Gateway such that when it fails to send
its logs to one Log Server, it will send its logs to a secondary Log Server. In order to support this
configuration, it is possible to add both Log Servers to a single SmartEvent Correlation Unit. In
this way, the SmartEvent Correlation Unit will get an uninterrupted stream of logs from both
servers and will continue to correlate all Firewall logs.
SmartEvent Correlation Unit High Availability
Multiple correlation units can read logs from the same Log Servers and in this way provide
redundancy in case one of them fails. The events that the correlation units detect will be
duplicated in the SmartEvent database; however these events can be disambiguated by filtering
with the Detected By field in the Event Query definition. The Detected By field specifies which
SmartEvent Correlation Unit detected the event.
SmartEvent Administration Guide R77 Versions | 76
In case the SmartEvent Server becomes unavailable, the correlation units retain the events until it
can reconnect with the SmartEvent Server and will then forward the events.
Third-Party Device Support
New Device Support
Adding support for a log-generating device (e.g., router, Firewall, IDS, Anti-Virus, OS) to
SmartEvent involves one or both of the following:
• Adding the data necessary to translate the device logs to a format that a Check Point Domain
Log Server can read. This translation is called parsing, and it involves extracting the relevant
log fields from the log data to create a normalized Check Point log available for further
• Adding the device logs to Event Definitions.
SmartEvent currently supports the following log formats:
• Check Point / OPSEC ELA
• Microsoft Windows Events
• Syslog messages
• SNMP traps
Devices using Check Point, ELA, or Windows Events do not require special parsing configuration. If
you are adding a device using one of these formats, skip to the section Adding New Devices to
Event Definitions (on page 79). For details on support for Windows logs, see the section Windows
Events (on page 18).
Devices using the syslog or SNMP format require parsing configuration. Continue to Planning and
Considerations (on page 76) and the parsing section relevant for your device.
Parsing Log Files
Planning and Considerations
1. Learn the exact structure of the logs the device generates with the following
a) The vendor logging guide (if it exists), or any other documentation that specifies the
different logs the device can generate and their exact structure. Documentation is
important to verify that you have found all possible logs and is usually enough to start
writing the parsing file.
b) Log samples, as many as possible. It is recommended to use real logs generated from the
actual devices to be used with SmartEvent. Samples are important for testing the parsing
file and tuning it accordingly.
2. Consult the
guide to become familiar with the Free Text Parsing Language. The
document also specifies the relevant parsing files and their location on the Log Server.
3. Decide which fields to extract from the log. While the fields you want to extract differ from one
device to another, devices of the same category would usually have similar log fields. For
SmartEvent Administration Guide R77 Versions | 77
Typical Log Fields
Firewall, router and other devices that
send connection based logs
source IP address, destination IP address, source
port, destination port, protocol, accept/reject
IDS / IPS, application Firewall and
other devices that send attack logs
4. It may also be useful to compare existing parsing files of another similar product.
To parse a syslog file:
1. Create a new parsing file called <device product name>.C as specified in the parsing guide,
and place it in the directory $FWDIR/conf/syslog/UserDefined on the Domain Log Server.
2. On the Log Server, edit the file
$FWDIR/conf/syslog/UserDefined/UserDefinedSyslogDevices.C to add a line that includes
the new parsing file. For example:
3. If needed, create a new dictionary file called <device product name>_dict.ini (see "Dictionary"
on page 91), and place it in the directory $FWDIR/conf/syslog/UserDefined on the Log Server.
A dictionary translates values with the same meaning from logs from different devices into a
common value. This common value is then used in the Event Definitions.
4. If you have added a new dictionary file, edit the file
$FWDIR/conf/syslog/UserDefined/UserDefinedSyslogDictionaries.C on the Log Server and
add a line to include the dictionary file. For example:
To test the parsing, send syslog samples to a Check Point Log Server:
1. Configure the Log Server to accept syslogs by doing one of the following:
• Using SmartDashboard, connect to the Security Management Server and edit the
SmartEvent Server network object: Go to Logs and Masters > Additional Logging
Configuration and enable the property Accept Syslog messages.
• On the Log Server, run syslog –r to register the syslog daemon.
2. After making any change in the parsing file, restart the fwd process on the Log Server (either
run the commands cpstop & cpstart, or fw kill fwd & fwd –n)
3. Send syslogs from the device itself, or from a syslog generator, such as Kiwi Syslog Message
Generator, available at http://www.kiwisyslog.com/software_downloads.htm#sysloggen, or
Adiscon logger, available at http://www.monitorware.com/logger/.
SmartEvent Administration Guide R77 Versions | 78
If SmartView Tracker does not display the logs as expected, there may be specific problems with
the parsing files:
• If there is a syntax error in the parsing files, an error message will report a failure to read the
parsing files. To read a specific error message, set the environment variable
TDERROR_ALL_FTPARSER value to
before running the process fwd -n.
• If the syslogs are displayed in SmartView Tracker with 'Product syslog', this means the log
was not parsed properly, and was parsed as a general syslog.
• If the Product field contains another product (not the one you have just added) this means
there is a problem with the other product parsing file. Report this to the Check Point
• If the product is reporting correctly in the log, look for all the fields you have extracted. Some
of them will be in the Information section. Some fields may only be visible when selecting
1. Create a new parsing file called <device product name>.C as specified in the
guide, and place it in the directory $FWDIR/conf/snmpTrap/UserDefined on the Log Server. In
the file, use a switch command for the snmp_trap_to_cp_log_param_id field, so that each
case contains OID for a specific log field (OID information may be extracted from the device
MIB files, if available)
To view an example, see the file $FWDIR/conf/snmpTrap/CPdefined/realSecure.C.
2. Edit the file $FWDIR/conf/snmpTrap/UserDefined /UserDefinedSnmpDevices.C to add lines
to include the new parsing file. The value of the attribute case should be the appropriate OID
for the product. Note that the product OID should contain exactly seven numeric values,
separated by decimal points. For example:
3. To test the parsing, send SNMP trap samples to a Check Point Log Server:
a) Configure the Log Server to accept SNMP traps, as follows:
(i) On the Log Server, run the command snmpTrapToCPLog –r to register the SNMP trap
(ii) On the Log Server, run the command snmpTrapToCPLog -a [ip_addr] to add the SNMP
b) Restart the snmpTrapToCPLog process on the Log Server after any change in the parsing
file (using cpstop & cpstart or by terminating the snmpTrapToCPLog process and running
snmpTrapToCPLog again from the command line)
c) Send SNMP traps from the device itself, or from a SNMP trap generator like NuDesign
Trap Sender, available at http://www.nudesignteam.com).
SmartEvent Administration Guide R77 Versions | 79
4. If SmartView Tracker does not display the logs as expected, there may be specific problems
with your parsing files:
a) If there is a syntax error in the parsing files, an error message will report a failure to read
the parsing files. To read a specific error message, set the environment variable
TDERROR_ALL_SNMP value to
before running the process snmpTrapToCPLog.
b) If the SNMP traps are displayed in SmartView Tracker with 'Product snmp Trap', this
means the log was not parsed properly, and was parsed as a general SNMP trap.
c) If the Product field contains another product (not the one you have just added) this means
there is a problem with the other product parsing file. Report this to the Check Point
d) If the product is reporting correctly in the log, look for all the fields you have extracted.
Some of them will be in the Information section. Some fields may only be visible when
selecting More Columns.
Adding New Devices to Event Definitions
After creating the appropriate parsing file for the new product, the next step is to include the
product in the SmartEvent Event Policy by adding it to the Product filters of new and existing
events. This involves making changes to the SmartEvent Server database. Some of the changes
are accomplished using SmartEvent client, while others require using a CPMI client (such as
GuiDBedit or dbedit, or a specific client you can write for your own use).
Note - Manually editing the files in $FWDIR/conf is not recommended and should be
done with extreme care.
Step 1: Create an object to represent the new device in one of the following ways:
1. Using the SmartEvent client:
a) Right click any of the Event Definitions on the Policy tab and select Properties > Filter tab.
b) From the Product list section, select Add > Add Product.
c) Enter the product name as it appears in the Product field of the log.
d) Select OK.
e) Select OK again.
f) Select Cancel to exit the dialog.
2. Using another CPMI client:
a) Enter the class name: eventia_product_object and the table: eventia_products
b) Set the name and the product_displayed_name & product_name fields, for example:
:product_displayed_name ("Snort IDS")
:product_name ("Snort IDS")
The resulting object is added to the file $FWDIR/conf/sem_products.C.
SmartEvent Administration Guide R77 Versions | 80
Step 2: Add the device to the relevant Event Definitions:
For example, if this is an IDS / IPS reporting a 'Ping of Death' attack, use the Event Definition
Wizard to add a filter for the new product in the 'Ping of Death' Event Definition. You may also
add existing or new fields to the product filter by selecting the property Show more fields.
1. Note that Event Definitions cannot be modified, so adding a new filter requires doing one of the
• Saving the relevant Event Definitions as User Defined Events.
• Overriding this restriction by making a change to the file
$FWDIR/conf/sem_detection_policies.C. Use an editor to open the file, search for the line
abacus_detection_policy_object, and set the value :user_defined to
2. Create new Event Definitions where needed if the requested event is not covered by existing
Event Definitions. As in step 2, this is accomplished via the Event Definition Wizard. New Event
Definitions appear in the User Defined Events section of the Event Policy tree.
To move the Event Definition to another section of the tree, do the following:
a) Use a CPMI client to edit the abacus_detection_policy_object in the table
b) Edit the category field.
c) To verify that the change has been made, view the object abacus_detection_policy_object
in the file $FWDIR/conf/sem_detection_policies.C.
3. Consider adding a generic event for the new product (as in the Third Party Devices - User
Configured Events section of the Event Policy tree).
a) Create a new Event Definition based on the new product using the Event Definition Wizard.
b) Use a CPMI client to edit the abacus_detection_policy_object in the table
c) Set the property :create_exception_only for this event to
d) Modify the values of the following fields as desired:
To test the changes in the Event Definition:
1. Copy the modified files to the directory $FWDIR/conf on the SmartEvent Server.
2. Run cpstop & cpstart on the SmartEvent Server.
3. Close and reopen the SmartEvent client.
4. Assuming the Event Definitions are configured as expected, install Event Policy.
5. Send logs as described in the testing for parsing above, and see the generated events.
Documents you may be interested
Documents you may be interested