This procedure shows how to configure SmartEvent to read logs from an externally-managed Log Server or an external Security Management Server.
An externally managed Log Server is managed by a different Security Management Server than the one that manages the SmartEvent Server. An external Security Management Server is not the one that manages the SmartEvent Server.
This procedure is not supported on CLM\CMA as Log server.
This procedure must be performed during a maintenance window.
Before making any changes, take a complete backup / snapshot of each involved machine.
For R80.20 and above, continue with the procedure.
Step 1 - Allow the SmartEvent to read log from the external Log server
Connect with SmartConsole to the Security Management Server that manages the external Log server.
Create a new OPSEC Application:
Next to 'Host', create the SmartLog/SmartEvent Server object by using the 'New...' button. (If this object already exists, select it). This object represents the SmartEvent Server that will read logs from this External log server.
Under 'Client Entities' select the 'LEA' box:
Click on the 'Communication' button and in the popup dialog, enter the 'Activation Key' you will use for this server and press 'Initialize'. It may show "established but not initialized" but this is ok.
In the menu (top left), click on 'Install Database...' and select objects of all involved machines.
On SmartEvent Server
Change the directory to $INDEXERDIR
From the command line, run the 'opsec_pull_cert' command with the following parameters. If you are doing this for a log server that is not a management server The <IP_addres_of_Host> will be the IP of the Security Management Server that manages the external Log server. You logged into this server in step 1 of Allow the SmartEvent to read log from the external Log server.
name - should contain the IP address of the external Log Server
log_files = all
is_local = false
certificate_file - should contain the name of the certificate file you generated in step 1
sic_name_client - can be found in the OPSEC application(where you created the opsec object) DN text box. The CN= value will be the name you gave the OPSEC application you created. In this example we used 'SmartEvent_server' for the name. If you have no value in the DN field you can run the below command and find the log server object in the list:
[Expert@HostName]# cpca_client lscert -kind SIC -stat Valid
sic_name_server - should be similar to 'sic_name_client', but CN= will be the hostname of the Log Server - in our example, the Log Server's name is 'cp_mgmt', so the string should be "CN=cp_mgmt,O=flow_mgmt..tp7tbr".
IMPORTANT: If the Log Server is also a Management Server or Secondary Management Server, the SIC name that should be used is:
If you do not need events to trigger for logs from the added log server you can stop here. At this point you should be able to search for origin: <IP_of_Logserver> in smartconsole and see logs from your external log server. Note that it may take some time for the logs to be indexed before you see them.
Step 2 - Allow the correlation unit to read logs and create events
On Main Security Management Server ('SMS') that manages SmartEvent Server
Connect with SmartDashboard to the Main Security Management Server ('SMS') that manages the SmartEvent server.
Go to 'Manage' menu - click on 'Network Objects...'.
Click on " button - select 'Check Point' - click on 'Host...'.
This object will represent the External Security Management Server / externally managed Log Server:
Assign a name for the object. We will use 'Ext_SMS'
Assign the IPv4 address of the external log server.
Go to the 'Management' tab - check the box 'Logging & Status'.
Do NOT establish SIC for this object.
Click on 'OK' to create the object.
Click on 'Close' to close the 'Network Objects...' window.
Save the changes: go to 'File' menu - click on 'Save'.
On SmartEvent Server
Connect with SmartEvent GUI to SmartEvent.
Go to 'Policy' tab - expand 'General Settings' - expand 'Initial Settings' - click 'Correlation Units'.
Click on 'Add...' button - select the object that represents the External Security Management Server / externally managed Log Server - 'Ext_SMS'.
Note: Correlation Unit will read logs from this External Security Management Server / externally managed Log Server.
Click 'Save' button.
Go to the 'Actions' menu - click 'Install Event Policy' and install policy on the Correlation Unit.
On Correlation Unit Server
Note: Correlation Unit Server might be deployed on the same machine with SmartEvent Server (this is the case in our example), or on a dedicated machine.
Connect to command line and log in to the Expert mode.
Important Note: With this "new" SIC rule, clients with 'sslca' (SSL and Certificate) will fail to connect. Therefore, this change has to be done carefully. All the LEA connections will be done in SSL, while there may be other LEA clients/products that require 'sslca' (with certificate validation). If SmartEvent is the only LEA client, then this "new" SIC rule is a valid solution. If there are other Log Servers (other LEA clients), then this "new" SIC rule must be modified in the following way: