Support Center > Search Results > SecureKnowledge Details
How to enable SmartEvent to read logs from external Security Management Server / externally managed Log Server using LEA Technical Level
Solution

This procedure shows how to configure SmartEvent to read logs from an externally-managed Log Server or an external Security Management Server.

An externally managed Log Server is managed by a different Security Management Server than the one that manages the SmartEvent Server. An external Security Management Server is not the one that manages the SmartEvent Server.

Important Notes

  • This procedure is not supported on CLM\CMA as Log server.

  • This procedure must be performed during a maintenance window.

  • Before making any changes, take a complete backup / snapshot of each involved machine.

  • For any assistance, contact Check Point Support.

 

Example Environment

  • Main Security Management Server ('SMS') with IP address 10.0.0.1

  • SmartEvent and Correlation Unit Server with IP address 10.0.0.2

  • External Security Management Server ('Ext_SMS') with IP address 10.0.0.3

  • SmartEvent Server object is defined on Main Security Management Server ('SMS') and SIC is established between them.

Goal - enable SmartEvent (Correlation Unit) to read logs from external Security Management Server or log server.

 

Procedure

Show / Hide instructions for R80.x and higher

For R80 and R80.10, install Jumbo Hotfix Accumulator for R80.10 Take 283 or higher before implementing the below procedure.

For R80.20 and above, continue with the procedure.

Step 1 - Allow the SmartEvent to read log from the external Log server

  1. Connect with SmartConsole to the Security Management Server that manages the external Log server.

  2. Create a new OPSEC Application:

    Old view:

    Newer view:

    1. Next to 'Host', create the SmartLog/SmartEvent Server object by using the 'New...' button. (If this object already exists, select it). This object represents the SmartEvent Server that will read logs from this External log server.

    2. Under 'Client Entities' select the 'LEA' box:

    3. Click on the 'Communication' button and in the popup dialog, enter the 'Activation Key' you will use for this server and press 'Initialize'. It may show "established but not initialized" but this is ok.

    4. Click OK.

  3. In the menu (top left), click on 'Install Database...' and select objects of all involved machines.

On SmartEvent Server

  1. Change the directory to $INDEXERDIR

    From the command line, run the 'opsec_pull_cert' command with the following parameters. If you are doing this for a log server that is not a management server The <IP_addres_of_Host> will be the IP of the Security Management Server that manages the external Log server. You logged into this server in step 1 of Allow the SmartEvent to read log from the external Log server.

    [Expert@HostName]# ./opsec_pull_cert -h <IP_address_of_Host> -n <OPSec-Application-Name> -p <Activation-Key> -o <Name-of-Certificate-File>

    Note: The Opsec-Application-Name is the name you used here:

    Example (assuming IP address of External Log-Server is 192.168.1.1):

    [Expert@HostName]# ./opsec_pull_cert -h 192.168.1.1 -n SmartEvent_server -p dks$elFd -o SmartEvent_cert.p12

    Note: This cert is used for all log servers under the management server you are requesting it from. Including the management server itself.

  2. Edit the $INDEXERDIR/log_indexer_custom_settings.conf file:

    Find the 'log_servers' parameter that should look more or less like this:

    :log_servers (
	: (
		:name (127.0.0.1)
		:uuid ()
		:log_files (all)
		:folder ("/opt/CPsuite-R80/fw1/log")
		:is_local (true)
		:read_mode (FILES)
	)
)
    Add another external Log Server, so after modification it looks like this: 
    :log_servers (
	: (
		:name (127.0.0.1)
		:uuid ()
		:log_files (all)
		:folder ("/opt/CPsuite-R80/fw1/log")
		:is_local (true)
		:read_mode (FILES)
	)

	: (
		:name (192.168.1.1)
		:log_files (all)
		:is_local (false)
		:certificate_file (SmartEvent_cert.p12)
		:sic_name_client ("CN=SmartEvent_server,O=flow_mgmt..tp7tbr")
		:sic_name_server ("CN=cp_mgmt,O=flow_mgmt..tp7tbr")
		:read_mode (LEA)
	)

    where:

    • name - should contain the IP address of the external Log Server

    • log_files = all

    • is_local = false

    • certificate_file - should contain the name of the certificate file you generated in step 1

    • sic_name_client - can be found in the OPSEC application(where you created the opsec object) DN text box. The CN= value will be the name you gave the OPSEC application you created. In this example we used 'SmartEvent_server' for the name. If you have no value in the DN field you can run the below command and find the log server object in the list:

      [Expert@HostName]# cpca_client lscert -kind SIC -stat Valid

    • sic_name_server - should be similar to 'sic_name_client', but CN= will be the hostname of the Log Server - in our example, the Log Server's name is 'cp_mgmt', so the string should be "CN=cp_mgmt,O=flow_mgmt..tp7tbr".

    IMPORTANT: If the Log Server is also a Management Server or Secondary Management Server, the SIC name that should be used is:

    • for Primary Management Server:

      "CN=cp_mgmt,O=<Name_of_Object_of_Primary_Management>..tp7tbr"

    • for Secondary Management Server:

      "CN=cp_mgmt_<Name_of_Object_of_Secondary_Management>,O=<Name_of_Object_of_Primary_Management>..tp7tbr"

  3. Run:

    [Expert@HostName]# stopIndexer ; startIndexer

  4. If you do not need events to trigger for logs from the added log server you can stop here. At this point you should be able to search for origin: <IP_of_Logserver> in smartconsole and see logs from your external log server. Note that it may take some time for the logs to be indexed before you see them.

Step 2 - Allow the correlation unit to read logs and create events

  1. On Main Security Management Server ('SMS') that manages SmartEvent Server

    1. Connect with SmartDashboard to the Main Security Management Server ('SMS') that manages the SmartEvent server.

    2. Go to 'Manage' menu - click on 'Network Objects...'.

    3. Click on " button - select 'Check Point' - click on 'Host...'.

    4. This object will represent the External Security Management Server / externally managed Log Server:

      1. Assign a name for the object. We will use 'Ext_SMS'

      2. Assign the IPv4 address of the external log server.

      3. Go to the 'Management' tab - check the box 'Logging & Status'.

      4. Do NOT establish SIC for this object.

      5. Click on 'OK' to create the object.

    5. Click on 'Close' to close the 'Network Objects...' window.

    6. Save the changes: go to 'File' menu - click on 'Save'.

  2. On SmartEvent Server

    1. Connect with SmartEvent GUI to SmartEvent.

    2. Go to 'Policy' tab - expand 'General Settings' - expand 'Initial Settings' - click 'Correlation Units'.

    3. Click on 'Add...' button - select the object that represents the External Security Management Server / externally managed Log Server - 'Ext_SMS'.

      Note: Correlation Unit will read logs from this External Security Management Server / externally managed Log Server.

    4. Click 'Save' button.

    5. Go to the 'Actions' menu - click 'Install Event Policy' and install policy on the Correlation Unit.

  3. On Correlation Unit Server

    Note: Correlation Unit Server might be deployed on the same machine with SmartEvent Server (this is the case in our example), or on a dedicated machine.

    1. Connect to command line and log in to the Expert mode.

    2. Install a Check Point authentication password:

      [Expert@HostName]# fw putkey -p <Shared_Secret> <IP_Address_of_Ext_SMS>

      (Run cat $CPDIR/conf/fwauth.keys to see the newly generated key with the right IP)

      Notes      :

      • <Shared_Secret> - is a shared password to be defined on both machines (Correlation Unit Server and External Security Management Server / externally managed Log Server)

      • <IP_Address_of_Ext_SMS> - in our example, is 10.0.0.3

    3. Stop Check Point services:

      [Expert@HostName]# cpstop

    4. Backup the current $CPDIR/conf/sic_policy.conf file:

      [Expert@HostName]# cp -v $CPDIR/conf/sic_policy.conf $CPDIR/conf/sic_policy.conf_ORIGINAL

    5. Edit the current $CPDIR/conf/sic_policy.conf file:

      [Expert@HostName]# vi $CPDIR/conf/sic_policy.conf

      In the [Outbound Rule] section:

      [Outbound rules]
# apply_to  peer(s)    port(s) service(s)   auth-method(s)
# --------------------------------------------------------

      Modify the following SIC rules:

      1. Modify this SIC rule:

        From

        # for LC: should implement 'Loggers' hook
ANY    ; Loggers    ;ANY; lea       ; sslca

        To

        # for LC: should implement 'Loggers' hook
ANY    ; Loggers    ;ANY; lea    ; ssl, sslca

      2. Modify this SIC rule:

        From

        # for log_export tool and Abacus analyzer
ANY    ; ANY        ;ANY; lea    ; sslca

        To

        # for log_export tool and Abacus analyzer
ANY    ; ANY        ;ANY; lea    ; ssl, sslca

    Note: changes made in $CPDIR/conf/sic_policy.conf should be re-implemented after upgrading to newer version

  4. On External Security Management Server / externally managed Log Server

    1. Connect to command line and log in to the Expert mode.

    2. Install a Check Point authentication password:

      [Expert@HostName]# fw putkey -p <Shared_Secret> <IP_Address_of_Correlation_Unit>

      (Run cat $CPDIR/conf/fwauth.keys to see the newly generated key with the right IP)

      Notes      :

      • <Shared_Secret> - is a shared password to be defined on both machines (External Security Management Server / externally managed Log Server and Correlation Unit Server)

      • <IP_Address_of_Correlation_Unit> - in our example, is 10.0.0.2

    3. Stop Check Point services:

      [Expert@HostName]# cpstop

    4. Backup the current $CPDIR/conf/sic_policy.conf file:

      [Expert@HostName]# cp -v $CPDIR/conf/sic_policy.conf $CPDIR/conf/sic_policy.conf_ORIGINAL

    5. Edit the current $CPDIR/conf/sic_policy.conf file:

      [Expert@HostName]# vi $CPDIR/conf/sic_policy.conf

      In the [Inbound Rule] section:

      [Inbound rules]
# apply_to  peer(s)    port(s) service(s)   auth-method(s)
# --------------------------------------------------------

      Modify the 5th SIC rule in 'Abacus' section:

      From 
      # Abacus
ANY    ; SEAM_analyzers, Reporting_Tool; ANY; SEAM_event   ; sslca
ANY    ; SEAM_mgmt, Reporting_Tool     ; ANY; InstallPolicy;  sslca
DN_mgmt, Management ; SEAM_mgmt, Reporting_Tool     ; ANY; sam  ; sslca
DN_mgmt, MGMT_OR_MDS, Log_Server ; SEAM_mgmt, Reporting_Tool     ; ANY; cpmi ; sslca
ANY  ; SEAM_analyzers, Reporting_Tool; ANY; lea  ; sslca
SEAM_analyzers, Reporting_Tool	; SEAM_mgmt, Reporting_Tool	; ANY; amon ; sslca_comp, sslca
DN_mgmt, Management; SEAM_analyzers; ANY; cpmi; sslca
      To 
      # Abacus
ANY    ; SEAM_analyzers, Reporting_Tool; ANY; SEAM_event   ; sslca
ANY    ; SEAM_mgmt, Reporting_Tool     ; ANY; InstallPolicy;  sslca
DN_mgmt, Management ; SEAM_mgmt, Reporting_Tool     ; ANY; sam  ; sslca
DN_mgmt, MGMT_OR_MDS, Log_Server ; SEAM_mgmt, Reporting_Tool     ; ANY; cpmi ; sslca
ANY  ; ANY ; ANY; lea  ; ssl, sslca
SEAM_analyzers, Reporting_Tool	; SEAM_mgmt, Reporting_Tool	; ANY; amon ; sslca_comp, sslca
DN_mgmt, Management; SEAM_analyzers; ANY; cpmi; sslca

      Important Note: With this "new" SIC rule, clients with 'sslca' (SSL and Certificate) will fail to connect. Therefore, this change has to be done carefully. All the LEA connections will be done in SSL, while there may be other LEA clients/products that require 'sslca' (with certificate validation). If SmartEvent is the only LEA client, then this "new" SIC rule is a valid solution. If there are other Log Servers (other LEA clients), then this "new" SIC rule must be modified in the following way:

      From

      # Abacus
ANY ; SEAM_analyzers, Reporting_Tool; ANY; SEAM_event ; sslca
ANY ; SEAM_mgmt, Reporting_Tool ; ANY; InstallPolicy; sslca
DN_mgmt, Management ; SEAM_mgmt, Reporting_Tool ; ANY; sam ; sslca
DN_mgmt, MGMT_OR_MDS, Log_Server ; SEAM_mgmt, Reporting_Tool ; ANY; cpmi ; sslca
ANY ; SEAM_analyzers, Reporting_Tool; ANY; lea ; sslca
SEAM_analyzers, Reporting_Tool ; SEAM_mgmt, Reporting_Tool ; ANY; amon ; sslca_comp, sslca
DN_mgmt, Management; SEAM_analyzers; ANY; cpmi; sslca

      To

      # Abacus
ANY ; SEAM_analyzers, Reporting_Tool; ANY; SEAM_event ; sslca
ANY ; SEAM_mgmt, Reporting_Tool ; ANY; InstallPolicy; sslca
DN_mgmt, Management ; SEAM_mgmt, Reporting_Tool ; ANY; sam ; sslca
DN_mgmt, MGMT_OR_MDS, Log_Server ; SEAM_mgmt, Reporting_Tool ; ANY; cpmi ; sslca
ANY ; <SIC name of SmartEvent Server> ; ANY; lea ; ssl
ANY ; ANY ; ANY; lea ; sslca
SEAM_analyzers, Reporting_Tool ; SEAM_mgmt, Reporting_Tool ; ANY; amon ; sslca_comp, sslca
DN_mgmt, Management; SEAM_analyzers; ANY; cpmi; sslca

    6. Start Check Point services:

      [Expert@HostName]# cpstart

  5. On Correlation Unit Server

    Note: Correlation Unit Server might be deployed on the same machine with SmartEvent Server (this is the case in our example), or on a dedicated machine.

    1. Connect to command line and log in to the Expert mode.

    2. Start Check Point services:

      [Expert@HostName]# cpstart

    3. Check that the Correlation Unit is reading logs from External Security Management Server / externally managed Log Server:

      [Expert@HostName]# cpstat cpsead

 

Related solutions:

Applies To:
  • This article replaces sk72980

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment 

SECURE YOUR EVERYTHING

©

Copyright | Privacy Policy
Follow Us