LogLogic
Check Point Management Station
Log Configuration Guide
Document Release: September 2011 Part Number: LL600013-00ELS090000
© 2011 LogLogic, Inc.
Proprietary Information
This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc.
Trademarks
LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners.
Notice
The information contained in this document is subject to change at any time without notice. All
warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation.
LogLogic, Inc.
Check Point Management Station Log Configuration Guide 3
Contents
Preface
About This Guide . . . . 5
Technical Support . . . . 5
Documentation Support . . . 5
Conventions. . . 6
Chapter 1 – Configuring Check Point Management Station and the LogLogic Appliance Introduction to Check Point Management Station . . . 7
Prerequisites . . . 7
Configuring Check Point Management Station . . . 8
Enabling the LogLogic Appliance to Capture Log Data . . . 12
Adding a Check Point LEA Device. . . 13
Chapter 2 – How LogLogic Supports CheckPoint How LogLogic Captures CheckPoint Data . . . 16
LogLogic Real-Time Reports . . . 16
Chapter 3 – Troubleshooting and FAQ Troubleshooting . . . 19
Frequently Asked Questions (FAQ). . . 19
Check Point Management Station Log Configuration Guide 5
Preface
About This Guide
The LogLogic® Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Check Point Management Station (and Check Point SecurePlatform™) enables LogLogic Appliances to capture audit logs from machines running Check Point Management Station.
Once the logs are captured and parsed, you can generate reports and create alerts on Check Point Management Station’s operations. For more information on creating reports and alerts, see the
LogLogic User Guide and LogLogic Online Help.
Technical Support
LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable,
experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support:
Telephone: Toll Free—1-800-957-LOGS Local—1-408-834-7480
EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970 Email: support@loglogic.com
You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support. When contacting Customer Support, be prepared to provide:
Your name, email address, phone number, and fax number Your company name and company address
Your machine type and release version
A description of the problem and the content of pertinent error messages (if any)
Documentation Support
Your feedback on LogLogic documentation is important to us. Send e-mail to
DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team.
Conventions
LogLogic documentation uses the following conventions to highlight code and command-line elements:
A monospace font is used for programming elements (such as code fragments, objects,
methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs).
A monospace bold font is used to distinguish system prompts or screen output from
user responses, as in this example: username: system
home directory: home\app
A monospace italic font is used for placeholders, which are general names that you
replace with names specific to your site, as in this example:
LogLogic_home_directory\upgrade\
Straight brackets signal options in command-line syntax. For example:
Check Point Management Station Log Configuration Guide 7
Chapter 1 – Configuring Check Point Management
Station and the LogLogic Appliance
This chapter describes LogLogic’s support for Check Point Management Station. LogLogic enables you to track log data from the Check Point Management Station device in real-time or on a scheduled basis.
Introduction to Check Point Management Station . . . 7
Prerequisites . . . 7
Configuring Check Point Management Station . . . 8
Enabling the LogLogic Appliance to Capture Log Data . . . 12
Introduction to Check Point Management Station
The Check Point SecurePlatform is designed to run Check Point’s VPN-1® gateways and SmartCenter™ management servers. Check Point devices enable you to protect your entire network and maintain security for your information resources.
Note: Log Export API (LEA) is used to retrieve and export VPN-1/ FireWall-1 log data. Check Point Management Interface (CPMI) is used to provide a secure interface to the Check Point management server's databases. For more information, see the LogLogic Administration Guide.
The LogLogic Appliance enables you to capture log data and report on critical points of your Check Point solutions deployed on SecurePlatform. LogLogic provides an additional level of support by enabling you to generate reports and run searches on data to improve your ability to manage your Check Point activity.
Check Point devices are supported by LogLogic Appliances. All Check Point log data captured by the LogLogic Appliance is parsed and made available to the LogLogic Agile Reporting engine. The Agile Reporting engine provides report templates that can be run as-is or modified to create customized reports targeting specific information.
Prerequisites
Prior to configuring the Check Point Management Station and LogLogic Appliance, ensure that you meet the following prerequisites:
Configuring Check Point Management Station
This section describes how to configure a Check Point Management Station to communicate with your LogLogic Appliance.
To configure Check Point Management Station:
1.Log in to Check Point Management Station.
2.On the Check Point SmartDashboard, create an object for the appliance
Figure 1 SmartDashboard - Host Node Window
3.Create a new OPSEC device using the same object from Step 1.
Check Point Management Station Log Configuration Guide 9 Figure 2 SmartDashboard - OPSEC Application Properties > General Tab
Figure 3 SmartDashboard - OPSEC Application Properties > CPMI Permissions Tab
5.On the General tab, click Communication to initialize SIC.
Check Point Management Station Log Configuration Guide 11 Figure 4 SmartDashboard - OPSEC Application Properties > Communication Window
6.Create a user account and connect it to the same profile created in Step 4.
Figure 5 Administration Properties > General Tab
Figure 6 Administrator Properties > Admin Auth Tab
Enabling the LogLogic Appliance to Capture Log Data
The following sections describe how to enable the LogLogic Appliance to capture Check Point log data.
Check Point Management Station Log Configuration Guide 13
Adding a Check Point LEA Device
To configure the LogLogic Appliance to recognize a new Check Point LEA server, you must add the device’s configuration information to the Appliance.
To configure the LogLogic Appliance for Check Point LEA servers:
1.Log in to the LogLogic Appliance.
2.From the navigation menu, select Management > Check Point Configuration.
3.Click Add New.
The Add LEA Server tab appears.
4.Type the Name for the LEA server.
Note: LogLogic recommends using a naming convention similar to Check Point’s naming conventions.
5.Select an Agent Mode to define how the LEA server starts. The default is Automatic, to ensure that the Check Point connection establishes during system boot up.
6.(Optional) Type a Description for the LEA server.
7.Make sure that Enable Data Collection is set to Yes.
8.Establish Secure Internal Communication (SIC):
a.Check the Establish Secure Internal Communication checkbox.
b.Enter the Check Point server SIC IP address.
c.Enter the Activation Key for the OPSEC Application on the Check Point log source.
d.Enter the OPSEC Application Name for the application on the Check Point log source.
The OPSEC Application Name is the OPSEC object name and the Activation Key is the SIC key. The OPSEC object name and SIC key were defined during the Check Point configuration procedure (see To configure Check Point Management Station: on page 8).
9.Set up the SSL connection to the LEA server:
a.Check the SSL Connection to LEA Server checkbox to enable it.
b.Type the LEA IP address for the LEA server.
c.Type the LEA Port number for the LEA server. The default port number is 18184.
d.Type the LEA Server DN (domain name).
10. If the firewall and interface are on the same Check Point log source as the LEA server, configure them.
If they are on separate Check Point log sources, after adding this LEA server, use the Firewall and
Interface tabs instead. For more information, see the LogLogic Administration Guide.
a.Select the appropriate Add Firewalls & Interfaces radio button:
CPMI Auto Discovery - Automatically detects any Check Point Management
Interface (CPMI) log sources connected to your system.
Manual Input - Lets you manually input each CPMI log source.
c.Type the CPMI Port number. The default port number is 18190.
d.Type the Check Point User Name. You must create an Administrator account in your Check Point application before you can use that ID for the Check Point User
Name field on the LogLogic Appliance.
e.Type the Check Point User Password. You must create an Administrator account in your Check Point application before you can use that password for the Check Point
User Password field on the LogLogic Appliance.
For more information on how to create the administrator user name and password within Check Point, see To configure Check Point Management Station: on page 8.
f. Select SSL Connection to CPMI Server to enable the SSL connection to your CPMI server.
g.Type the CPMI Server DN (domain name).
Check Point Management Station Log Configuration Guide 15 Figure 7 Adding a New LEA Server
Upon completion of the initialization, you will see a successful connection on both the LEA and the CPMI devices on the LEA Servers tab.
Figure 8 LEA Server Information with Connection Status
Note: You can start and stop the connection by clicking the button that appears to the right of the
Chapter 2 – How LogLogic Supports CheckPoint
This chapter describes LogLogic’s support for CheckPoint. LogLogic enables you to capture CheckPoint Firewall events in syslog format.How LogLogic Captures CheckPoint Data . . . 16
LogLogic Real-Time Reports . . . 16
How LogLogic Captures CheckPoint Data
After the Check Point device is configured, the LogLogic Appliance will start receiving the logs against all the Check Point interfaces which are generating the logs, where they are processed, stored, and made available for reporting, alerting, and searching.
CheckPoint’s Open Platform for Security (OPSEC) provides a single framework for third-party products to integrate into all aspects of the secure virtual network through a combination of published application programming interfaces (APIs), industry-standard protocols and a
high-level scripting language. One of the APIs that comes under OPSEC is the LEA or Log Export API. The Log Export API enables applications to read the VPN-1/FireWall-1 log database. The LogLogic Appliance has achieved OPSEC certification and this certificate is provided to applications only after being tested to ensure compliance with the defined OPSEC standards. Hence, the LogLogic Appliance seamlessly integrates with the Check Point FireWall-1/VPN-1 software for Check Point firewall logs collection. The LogLogic Appliance can pull firewall rules information through the CPMI (Check Point Management Interface) and aggregate firewall log data through the OPSEC Log Expert API (LEA) interface.
Figure 9 Check Point and LogLogic Appliance Components
Once the data is captured and parsed, it can be used for generating reports.
LogLogic Real-Time Reports
LogLogic provides preconfigured Real-Time Reports for Check Point log data. The following Real-Time Reports are available:
Check Point Policies – Displays the Check Point Policies established
Check Point Management Station Log Configuration Guide 17
User Authentication – Reports the successful and failed user login and logout events. User Last Activity – Reports the last activity users performed within the Check Point
environment
VPN Access – Displays VPN connections that VPN devices either accepted or denied VPN Sessions – Displays data about VPN sessions created on VPN devices during a
specified time interval
Accepted Connections – Displays data about IP connections that were accepted by a device Active VPN Connections – Displays data about current active sessions on various VPN
devices
Application Distribution – Displays information about messages, grouped by application
ports, that were accepted by a device
Denied Connections – Displays data about IP connections that were denied by a device FTP Connections – Displays data FTP traffic through the selected firewall device VPN Top Lists – Displays data about top users and IP addresses and statistics
All Unparsed Events – Displays data for all events retrieved from the Check Point Firewall/
VPN log for a specified time interval
Security Events – Displays data for firewall security-related events classified as security
messages for a specified time interval
System Events – Displays data for system-related events retrieved from the Check Point
Firewall/VPN log for a specific time interval
VPN Events – Displays all Check Point Firewall/VPN events
Web Surfing Activity – Displays web information served during a specified time interval
You can create custom reports from the existing Real-Time Report templates.
To access LMI 5.x Real-Time Reports:
1.In the top navigation pane, click Reports
2.Click Access Control
(For Check Point Policies, click Reports > Policy Reports > Check Point Policies) The following Access Control Real-Time Reports are available:
User Access
User Authentication User Last Activity
3.Click Network Activity
The following Network Activity Real-Time Reports are available:
VPN Sessions Web Surfing Activity
4.Click Operational
The following Operational Real-Time Reports are available:
Check Point Management Station Log Configuration Guide 19
Chapter 3 – Troubleshooting and FAQ
This chapter contains troubleshooting regarding the configuration and/or use of log collection for CheckPoint. It also contains an FAQ, providing quick answers to common questions.
Troubleshooting . . . 19
Frequently Asked Questions (FAQ) . . . 19
Troubleshooting
Check Point events are not appearing on the LogLogic Appliance after capturing
the logs via the syslog listener.
The reason for this problem can be that the Check Point device might not be configured correctly. In LMI 4.x go to Administration > Check Point Devices. InLMI 5.x GUI, go to Management >
Check Point Configuration. On the LEA Servers tab, the LEA Status and CPMI status should be CONNECTED. Then check the Interfaces tab, and see which of the interfaces has the Trusted and Origin columns set as YES and Device Status set as ENABLED. That interface should appear in the Log Source Status page as the Check Point source of log collection. Also check that the Syslog Server (i.e., the LogLogic Appliance) has been defined. For more information see Configuring Check Point Management Station on page 8.
Frequently Asked Questions (FAQ)
How does the LogLogic Appliance collect logs from Check Point?
The LogLogic appliance collects the data from the CheckPoint server through syslog. On the Check Point server we can create an OPSEC application supporting LEA which enables us to configure the LogLogic Appliance with the Check Point server for log collection wherein the LEA appliacation sends the Check Point logs through syslog to the Appliance. The LogLogic Appliance collects the messages using the Syslog Listener. For more information, see How LogLogic Captures CheckPoint Data on page 16.
How do I configure Syslog on Check Point?
Check Point Management Station Log Configuration Guide 21
Appendix A – Event Reference
This appendix lists the LogLogic-supported Check Point events. The LogLogic Check Point event table identifies events which can be analyzed through the LogLogic Agile Reports, as well as a sample log message. All sample log messages were captured by LogLogic’s file pull utility.
LogLogic Support for Check Point Events
The following list describes the contents of each of the columns in the table below.
Event Type – Action taken in enforcing the Check Point security policy.
Agile/Search Reports – Defines if the Check Point event is available through the LogLogic
Agile Reporting engine or through the search capabilities. If the event is available through the Agile Report engine, then you can use LogLogic’s Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data.
Event Category – All events belong to the Audit category
Reports Appears In – LogLogic-provided reports that the event appears in
Sample Log Message – Sample Check Point log messages converted into text (.txt) format.
Table 1 Check Point Management Station Events Event Type Agile/
Search Reports Event Category Reports Appears In
Sample Log Message
1 “action: accept” Agile Audit Accepted
Connections, Rules/Policies, Application distribution <38>Dec 17 17:36:32 10.2.1.1 %CP: time:14Mar2003 14:44:30;action:accept;orig:10.2.1.1;i/f_dir:0;i/ f_name:1;src:209.46.4.193;s_port:67;dst:255.255.255.255;service:68;proto:17;rule: 6;packets:1;bytes:337; 2 “action: accept” and “resource: http://”
Agile Audit Accepted Connections, Rules/Policies, Application distribution, Web Surfing Activity <38>Jul 20 10:54:12 10.2.1.10 %CP: time:20Jul2004 11:39:20;action:accept;orig:10.2.1.10;i/f_dir:outbound;i/ f_name:daemon;service:21;proto:6;s_port:1187;src:209.46.4.251;rule:6;dst:10.0.0. 143;resource:ftp://10.0.0.143/qorusag ftp://10.0.0.143/ qorusagakfgfg;product:VPN-1 & FireWall-1;xlatesrc:209.46.4.251;xlatesport:1187;xlatedport:0;srcOutBytes:0;dstOut Bytes:0; 3 “action: accept “ and “resource: ftp://”
Agile Audit Accepted Connections, Rules/Policies, Application distribution, FTP Connections <38>Jul 20 10:54:12 10.2.1.10 %CP: time:20Jul2004 11:39:20;action:accept;orig:10.2.1.10;i/f_dir:outbound;i/ f_name:daemon;service:21;proto:6;s_port:1187;src:209.46.4.251;rule:6;dst:10.0.0. 143;resource:ftp://10.0.0.143/qorusag ftp://10.0.0.143/ qorusagakfgfg;product:VPN-1 & FireWall-1;xlatesrc:209.46.4.251;xlatesport:1187;xlatedport:0;srcOutBytes:0;dstOut Bytes:0;
4 “action: drop” Agile Audit Denied Connections, Rules/Policies <38>Dec 17 17:36:32 10.2.1.1 %CP: time:14Mar2003 17:37:59;action:drop;orig:10.2.1.1;i/f_dir:0;i/ f_name:1;src:202.187.12.130;s_port:61153;dst:209.46.4.250;service:137;proto:17;r ule:4; 5 “action: drop” and “product: SmartDefense”
Agile Audit Security Events <38>Jun 30 10:34:05 172.16.1.1 %CP: time:30Jun2005 10:31:45;action:drop;orig:172.16.1.1;i/f_dir:inbound;direction:2;i/
f_name:eth-s3p1c2;product:SmartDefense;__policy_id_tag:product=VPN-1 & FireWall-1[db_tag={F914CCAD-7D6F-4DE4-B409-9476CA9DEA9E};mgmt=check point-mgmt;date=1119995290;policy_name=Main];TCP flags:FIN;Attack Info:TCP flags do not make sense;attack:Bad
packet;src:172.16.0.85;s_port:49434;dst:65.29.55.56;service:2203;proto:6;srcOutB ytes:0;dstOutBytes:0;infoex:__policy_id_tag-product=VPN-1 &
FireWall-1[db_tag={F914CCAD-7D6F-4DE4-B409-9476CA9DEA9E},mgmt=check point-mgmt,date=1119995290,policy_name=Main], TCP flags-FIN, Attack Info-TCP flags do not make sense;
6 “action: drop”
and “resource: ftp://”
Agile Audit Denied Connections, Rules/ Policies,FTP Connections <38>Jul 20 10:54:12 10.2.1.1 %CP: time:20Jul2004 11:39:20;action:drop;orig:10.2.1.1;i/f_dir:0;i/ f_name:1;src:209.46.4.251;s_port:1187;dst:10.0.0.143;service:21;proto:6;rule:6;res ource:ftp://10.0.0.143/qorusag ftp://10.0.0.143/qorusagakfgfg; 7 “action: drop” and “resource: http://”
Agile Audit Denied Connections, Rules/Policies, Web Surfing Activity <38>Jul 20 10:54:06 10.2.1.10 %CP: time:20Jul2004 11:39:29;action:accept;orig:10.2.1.10;i/f_dir:outbound;direction:2;i/ f_name:eth0;product:VPN-1 & FireWall-1;src:209.46.4.253;s_port:16182;dst:10.2.1.25;service:80;proto:6;ll_rule:7; rule:4;resource:http://10.2.1.25:80/;
8 “action: reject” Agile Audit Denied
Connections, Rules/Policies
<38>Dec 17 17:36:32 10.2.1.1 %CP: time:20Mar2003 14:50:57;action:reject;orig:10.2.1.1;i/f_dir:0;i/
f_name:1;src:24.163.248.194;s_port:50878;dst:209.46.4.250;service:6003;proto:6; rule:6;message_info:X11 is not allowed through service '* any'. To enable, create an earlier rule that explicitly allows X11.;packets:0;bytes:0;
9 “action: reject”
and “product: VPN-1& FireWall-1”
Agile Audit Security Events <38>Dec 17 17:36:32 10.2.1.1 %CP: time:20Mar2003 14:50:57;action:reject;orig:10.2.1.1;i/f_dir:0;i/
Check Point Management Station Log Configuration Guide 23
10 “action: reject”
and “product: SmartDefense”
Agile Audit Security Events <38>Dec 17 17:36:32 10.2.1.1 %CP: time:20Mar2003 14:50:57;action:reject;orig:10.2.1.1;i/f_dir:0;i/ f_name:1;src:24.163.248.194;s_port:50878;dst:209.46.4.250;service:6003;proto:6; rule:6;product:SmartDefense;attack:URL worm;packets:0;bytes:0; 11 “action: reject” and “resource: ftp://”
Agile Audit Denied Connections, Rules/Policies, FTP Connections <38>Dec 17 17:36:32 10.2.1.1 %CP: time:20Mar2003 14:50:57;action:reject;orig:10.2.1.1;i/f_dir:0;i/ f_name:1;src:24.163.248.194;s_port:50878;dst:209.46.4.250;service:6003;proto:6; rule:8;resource:ftp://10.0.0.200/qorusag ftp://10.0.0.200/qorusagakfgfg; 12 “action: reject” and “resource: http://”
Agile Audit Denied Connections, Rules/Policies, Web Surfing Activity <38>Dec 17 17:36:32 10.2.1.1 %CP: time:20Mar2003 14:50:57;action:reject;orig:10.2.1.1;i/f_dir:0;i/ f_name:1;src:24.163.248.194;s_port:50878;dst:209.46.4.250;service:6003;proto:6; rule:8;resource:resource:http://10.2.1.25:80/; 13 “action: reject” and “scheme::IKE”
Agile Audit User Access, User Authentication, User Last Activity, VPN Access, VPN Events <38>Aug 10 21:07:28 209.142.21.72 %CP: time:10Aug2005 21:09:08;action:reject;orig:209.142.21.72;i/f_dir:inbound;i/ f_name:daemon;alert:alert;src:209.142.21.76;dst:209.142.21.72;user:logtes;reason ::Client Encryption: Unknown user;scheme::IKE;reject_category:SecureClient authentication failure;srcOutBytes:0;dstOutBytes:0;infoex:alert-alert, user-logtes, reason:-Client Encryption: Unknown user, scheme::IKE,
reject_category-SecureClient authentication failure;
14 “action:ctl” and
“sys_msgs:secur ity policy installed/ uninstalled”
Agile Audit Security Events <38>Dec 17 17:36:32 10.2.1.1 %CP: time:18Mar2003 17:42:17;action:ctl;orig:10.2.1.1;i/f_dir:0;i/
f_name:4;has_accounting:0;uuid:<00000000,00000000,00000000,00000000>;sys _msgs:security policy uninstalled;
15 “action:ctl” and
“sys_msgs:xxx”
Agile Audit System Events <38>Dec 17 17:36:32 209.46.4.251 %CP: time:20Mar2003 14:23:58;action:ctl;orig:209.46.4.251;i/f_dir:0;i/
f_name:4;has_accounting:0;uuid:<00000000,00000000,00000000,00000000>;sys _msgs:started sending log to localhost;
16 “action: keyinst” Agile Audit User Access,
User Authentication, User Last Activity, Active VPN Connections, VPN Events
<38>Aug 4 13:48:12 209.142.21.72 %CP: time: 4Aug2005 12:50:22;action:keyinst;orig:209.142.21.72;i/f_dir:inbound;i/ f_name:daemon;src:209.142.21.72;dst:64.157.93.162;peer
gateway:Corporate;scheme::IKE;IKE::Informational Exchange Send Delete IPSEC-SA to Peer: 409d5da2; SPI:
accd87fa;CookieI:efaf2bde660ff67b;CookieR:b02f0f3df5f4e745;msgid:d333691b;c ommunity:loglogic;srcOutBytes:0;dstOutBytes:0;infoex:peer gateway-Corporate, scheme:-IKE, IKE:-Informational Exchange Send Delete IPSEC-SA to Peer: 409d5da2, SPI: accd87fa, CookieI-efaf2bde660ff67b, CookieR-b02f0f3df5f4e745, msgid-d333691b, community-loglogic;
17 “action: keyinst”
and “IKE:: Main Mode completion”
Agile Audit User Access, User Authentication, User Last Activity, Active VPN Connections, VPN Access, VPN Sessions, VPN Top Lists, VPN Events
<38>Aug 4 13:48:12 209.142.21.72 %CP: time: 4Aug2005 12:50:22;action:keyinst;orig:209.142.21.72;i/f_dir:inbound;i/ f_name:daemon;src:209.142.21.72;dst:64.157.93.162;peer gateway:Corporate;scheme::IKE;IKE::Main Mode
completion.;CookieI:efaf2bde660ff67b;CookieR:b02f0f3df5f4e745;methods::AES-2 56 + SHA1, Pre shared
secrets;community:loglogic;srcOutBytes:0;dstOutBytes:0;infoex:peer gateway-Corporate, scheme:-IKE, IKE:-Main Mode completion.,
CookieI-efaf2bde660ff67b, CookieR-b02f0f3df5f4e745, methods:-AES-256 + SHA1, Pre shared secrets, community-loglogic;
Event Type Agile/ Search Reports Event Category Reports Appears In
18 “action: encrypt” Agile Audit Accepted Connections, User Access, User Authentication, User Last Activity, Active VPN Connections, VPN Events
<38>Aug 4 13:48:09 209.142.21.72 %CP: time: 4Aug2005 12:50:19;action:encrypt;orig:209.142.21.72;i/f_dir:inbound;i/
f_name:eth-s2p1c0;product:VPN-1 & FireWall-1;__policy_id_tag:product=VPN-1 & FireWall-1[db_tag={490048AE-050C-11DA-9207-D18E1548C2C2};mgmt=Elohim;d ate=1123176128;policy_name=Standard];ICMP:Echo Request;src:192.168.9.5;dst:172.16.0.16;proto:1;ICMP Type:8;ICMP Code:0;rule:internal;scheme::IKE;dstkeyid:0x202d75b0;methods::ESP: AES-256 + SHA1;peer gateway:Corporate;community:loglogic;srcOutBytes:0;dstOutBytes:0;infoex:__polic y_id_tag-product=VPN-1 & FireWall-1[db_tag={490048AE-050C-11DA-9207-D18E1548C2C2},mgmt=Elohim,d ate=1123176128,policy_name=Standard], ICMP-Echo Request, ICMP Type-8, ICMP Code-0, scheme:-IKE, dstkeyid-0x202d75b0, methods:-ESP: AES-256 + SHA1, peer gateway-Corporate, community-loglogic;
19 “action: decrypt” Agile Audit Accepted Connections, User Access, User Authentication, User Last Activity, Active VPN Connections, VPN Events <38>Aug 10 21:07:05 209.142.21.72 %CP: time:10Aug2005 21:08:45;action:decrypt;orig:209.142.21.72;i/f_dir:inbound;direction:2;i/
f_name:eth-s3p1c0;product:VPN-1 & FireWall-1;__policy_id_tag:product=VPN-1 & FireWall-1[db_tag={41F13884-0A1B-11DA-8613-D18E15485C5C};mgmt=Elohim;d ate=1123732314;policy_name=Standard];src:172.16.2.1;s_port:1589;dst:209.142.2 1.72;service:18234;proto:17;xlatedst:192.168.8.1;xlatesport:0;xlatedport:0;NAT_rul enum:internal;NAT_addtnl_rulenum:internal;rule:internal;message_info:Implied rule;scheme::IKE;srckeyid:0xb137e7b7;methods::ESP: 3DES + SHA1;peer gateway:209.142.21.76;vpn_user:logtest;srcOutBytes:0;dstOutBytes:0;infoex:__po licy_id_tag-product=VPN-1 &
FireWall-1[db_tag={41F13884-0A1B-11DA-8613-D18E15485C5C},mgmt=Elohim,d ate=1123732314,policy_name=Standard], NAT_rulenum-internal,
NAT_addtnl_rulenum-internal, scheme:-IKE, srckeyid-0xb137e7b7, methods:-ESP: 3DE
20 “action:
authcrypt”
Agile Audit User Access, User Authentication, User Last Activity, VPN Access, Active VPN Connections, VPN Sessions, VPN Top Lists, VPN Events <38>Aug 10 21:06:40 209.142.21.72 %CP: time:10Aug2005 21:08:20;action:authcrypt;orig:209.142.21.72;i/f_dir:inbound;i/ f_name:daemon;src:209.142.21.76;dst:209.142.21.72;user:logtest;reason::Client Encryption: Authenticated by Internal
Password;scheme::IKE;methods::AES-256,IKE,SHA1;srcOutBytes:0;dstOutBytes: 0;infoex:user-logtest, reason:-Client Encryption: Authenticated by Internal Password, scheme:-IKE, methods:-AES-256,IKE,SHA1;
21 Create Object Agile CP Audit User Access,
User Last Activity
<109>Aug 19 08:24:07 10.116.28.209 %CP_AUDIT: time:20Aug2006 3:57:02;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:SmartUpdate;ObjectName:the_contracts_flags; ObjectType:contracts_flags;ObjectTable:contracts;Operation:Create Object;Uid:{240F911C-B71F-47B7-B78B-3C16533BB29F};Administrator:SmartUpd ate;Machine:localhost;Subject:Object Manipulation;Operation Number:0;lea_ip:10.116.28.209;
22 Modify Object Agile CP Audit User Access,
User Last Activity
<109>Aug 19 08:35:22 10.116.28.209 %CP_AUDIT: time:20Aug2006 4:08:16;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartDashboard;ObjectName:Standard;Object Type:firewall_policy;ObjectTable:fw_policies;Operation:Modify
Object;Uid:{1F52940A-B7E9-403B-8032-96C4131AEE9A};Administrator:Admin;Ma chine:LL210;FieldsChanges:Rule 2: added 'security_rule' - ;Source: Any ;Destination: Any ;VPN: Any ;Service: Any ;Action: accept;Install On: Any ; ;;Subject:Object Manipulation;Operation Number:1;lea_ip:10.116.28.209; Event Type Agile/
Search Reports Event Category Reports Appears In
Check Point Management Station Log Configuration Guide 25
23 Rename Object Agile CP Audit User Access,
User Last Activity
<109>Aug 19 08:55:16 10.116.28.209 %CP_AUDIT: time:20Aug2006 4:28:10;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartDashboard;ObjectName:testuser1;Object Type:user;ObjectTable:users;Operation:Rename
Object;Uid:{6FD10146-F789-4B25-B8DD-D2F15206CF29};Administrator:Admin;M achine:LL210;FieldsChanges:Object name was changed from 'testuser' to 'testuser1' ;;Subject:Object Manipulation;Operation
Number:2;lea_ip:10.116.28.209;
24 Delete Object Agile CP Auditt User Access, User Last Activity
<109>Aug 20 06:20:33 10.116.28.209 %CP_AUDIT: time:21Aug2006 1:53:24;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:SmartDashboard;ObjectName:Sec215;ObjectT ype:host_ckp;ObjectTable:network_objects;Operation:Delete Object;Uid:{F4E9274E-CD71-4901-B17B-5E98D1F0DE0E};Administrator:Admin;M achine:LL210;Subject:Object Manipulation;Operation Number:3;lea_ip:10.116.28.209;
25 Install Policy Agile CP Audit User Access,
User Last Activity
<109>Aug 19 07:18:55 10.116.28.209 %CP_AUDIT: time:20Aug2006 2:51:49;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:Internal;ObjectName:California_GW;ObjectTyp e:firewall_application;ObjectTable:applications;Operation:Install
Policy;Uid:{6FD10146-F789-4B25-B8DD-D2F15206CF29};Administrator:fwadmin; Machine:Client2;Subject:Policy Installation;Audit Status:Success;Additional Info:Security Policy : Standard;Operation Number:7;lea_ip:10.116.28.209;
26 Uninstall Policy Agile CP Audit User Access, User Last Activity
<109>Aug 19 07:18:55 10.116.28.209 %CP_AUDIT: time:20Aug2006 2:51:49;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:Internal;ObjectName:California_GW;ObjectTyp e:firewall_application;ObjectTable:applications;Operation:Uninstall
Policy;Uid:{6FD10146-F789-4B25-B8DD-D2F15206CF29};Administrator:fwadmin; Machine:Client2;Subject:Policy Installation;Audit Status:Success;Operation Number:8;lea_ip:10.116.28.209;
27 Log In Agile CP Audit User
Authentication, User Access, User Last Activity
<109>Aug 19 06:59:37 10.116.28.209 %CP_AUDIT: time:20Aug2006 2:32:32;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:CPMI Client;Operation:Log
In;Administrator:Admin;Machine:localhost;Subject:Administrator Login;Additional Info:Authentication method: Internal Password;Operation
Number:10;lea_ip:10.116.28.209;
28 Log In Agile CP Audit User
Authentication, User Access, User Last Activity
<109>Aug 19 07:18:55 10.116.28.209 %CP_AUDIT: time:20Aug2006 2:51:49;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartView Tracker;Operation:Log In;Administrator:Admin;Machine:LL210;Subject:Administrator Login;Audit Status:Failure;Additional Info:Administrator failed to log in: Wrong Password;Operation Number:11;lea_ip:10.116.28.209;
29 Log Out Agile CP Audit User Access <109>Aug 19 07:18:36 10.116.28.209 %CP_AUDIT: time:20Aug2006
2:51:31;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:SmartView Tracker;Operation:Log Out;Administrator:Admin;Machine:LL210;Subject:Administrator Login;Operation Number:12;lea_ip:10.116.28.209; 30 Initialize SIC Certificate
Agile CP Audit User Access, User Last Activity
<109>Aug 20 04:10:05 10.116.28.209 %CP_AUDIT: time:20Aug2006 23:43:00;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartDashboard;ObjectName:cpshared_applic ation_Sec215;ObjectType:cpshared_application;ObjectTable:applications;Operatio n:Initialize SIC Certificate;Administrator:Admin;Machine:LL210;Subject:SIC Certificate;Operation Number:13;lea_ip:10.116.28.209;
Event Type Agile/ Search Reports Event Category Reports Appears In
31 Push SIC
Certificate
Agile CP Audit User Access, User Last Activity
<109>Aug 20 04:10:05 10.116.28.209 %CP_AUDIT: time:20Aug2006 23:43:00;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartDashboard;ObjectName:cpshared_applic ation_Sec215;ObjectType:cpshared_application;ObjectTable:applications;Operatio n:Push SIC Certificate;Administrator:Admin;Machine:LL210;Subject:SIC Certificate;Operation Number:14;lea_ip:10.116.28.209;
32 Revoke SIC
Certificate
Agile CP Audit User Access, User Last Activity
<109>Aug 20 04:32:02 10.116.28.209 %CP_AUDIT: time:21Aug2006 0:04:57;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartDashboard;ObjectName:cpshared_applic ation_Sec215;ObjectType:cpshared_application;ObjectTable:applications;Operatio n:Revoke SIC Certificate;Administrator:Admin;Machine:LL210;Subject:SIC Certificate;Operation Number:15;lea_ip:10.116.28.209;
33 Initialize User Registration Key
Agile CP Audit User Access, User Last Activity
<109>Aug 19 08:30:30 10.116.28.209 %CP_AUDIT: time:20Aug2006 4:03:25;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartDashboard;ObjectName:testuser;ObjectT ype:user;ObjectTable:users;Operation:Initialize User Registration
Key;Administrator:Admin;Machine:LL210;Subject:User Certificate;Operation Number:16;lea_ip:10.116.28.209;
34 Disable User
Registration Key
Agile CP Audit User Access, User Last Activity
<109>Aug 19 08:30:37 10.116.28.209 %CP_AUDIT: time:20Aug2006 4:03:32;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartDashboard;ObjectName:testuser;ObjectT ype:user;ObjectTable:users;Operation:Disable User Registration
Key;Administrator:Admin;Machine:LL210;Subject:User Certificate;Operation Number:17;lea_ip:10.116.28.209;
35 Generate User
Certificate
Agile CP Audit User Access, User Last Activity
<109>Aug 19 08:28:19 10.116.28.209 %CP_AUDIT: time:20Aug2006 4:01:14;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:SmartDashboard;ObjectName:testuser;ObjectT ype:user;ObjectTable:users;Operation:Generate User Certificate;Administrator:Admin;Machine:LL210;Subject:User Certificate;Operation Number:18;lea_ip:10.116.28.209; 36 Revoke User Certificate
Agile CP Audit User Access, User Last Activity
<109>Aug 19 08:30:24 10.116.28.209 %CP_AUDIT: time:20Aug2006 4:03:19;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartDashboard;ObjectName:testuser;ObjectT ype:user;ObjectTable:users;Operation:Revoke User
Certificate;Administrator:Admin;Machine:LL210;Subject:User Certificate;Operation Number:19;lea_ip:10.116.28.209;
37 Force Log out Agile CP Audit User Access <109>Aug 20 09:38:19 10.116.28.209 %CP_AUDIT: time:21Aug2006
5:11:14;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartView Monitor;Operation:Force Log Out;Administrator:Admin;Machine:LL210;Subject:Administrator Login;Additional Info:Disconnect administrator 'Admin' using cpmi_client;Operation
Number:21;lea_ip:10.116.28.209;
38 Revert to Version Agile CP Audit User Access,
User Last Activity
<109>Aug 19 08:57:47 10.116.28.209 %CP_AUDIT: time:20Aug2006 4:30:29;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartDashboard;ObjectName:Version 1;Operation:Revert to
Version;Administrator:Admin;Machine:LL210;Subject:Revision Control;Additional Info:Version Name: test;Operation Number:22;lea_ip:10.116.28.209;
39 Create Version Agile CP Audit User Access,
User Last Activity
<109>Aug 19 08:55:45 10.116.28.209 %CP_AUDIT: time:20Aug2006 4:28:39;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartDashboard;ObjectName:Version 1;Operation:Create Version;Administrator:Admin;Machine:LL210;Subject:Revision Control;Additional Info:Version Name: test;Operation
Number:23;lea_ip:10.116.28.209; Event Type Agile/
Search Reports Event Category Reports Appears In
Check Point Management Station Log Configuration Guide 27
40 Delete Version Agile CP Audit User Access,
User Last Activity
<109>Aug 19 09:01:42 10.116.28.209 %CP_AUDIT: time:20Aug2006 4:34:37;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartDashboard;ObjectName:Version 1;Operation:Delete Version;Administrator:Admin;Machine:LL210;Subject:Revision Control;Additional Info:Version Name: test;Operation
Number:24;lea_ip:10.116.28.209;
41 Synchronize
Peer
Agile CP Audit User Access, User Last Activity
<109>Aug 20 04:31:46 10.116.28.209 %CP_AUDIT: time:21Aug2006 0:04:41;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartCenter Server;ObjectName:SERVER B;Operation:Synchronize
Peer;Administrator:fwadmin;Machine:Client2;Subject:Management HA;Audit Status:Success;Additional Info:Type: automatic, event: MgmtSync;Operation Number:24;lea_ip:10.116.28.209;
42 Synchronize
Peer
Agile CP Audit User Access, User Last Activity
<109>Aug 20 04:31:46 10.116.28.209 %CP_AUDIT: time:21Aug2006 0:04:41;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartCenter Server;ObjectName:SERVER B;Operation:Synchronize
Peer;Administrator:fwadmin;Machine:Client2;Subject:Management HA;Audit Status:Failure;Additional Info:Type: automatic, event: SCS-SYNCH. Error: Synchronization is not allowed: No license. Peer's mode: standby, status: Lagging.;Operation Number:24;lea_ip:10.116.28.209;
43 Synchronize
Peer
Agile CP Audit User Access, User Last Activity
<109>Aug 20 04:31:46 10.116.28.209 %CP_AUDIT: time:21Aug2006 0:04:41;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartCenter Server;ObjectName:SERVER B;Operation:Synchronize
Peer;Administrator:fwadmin;Machine:Client2;Subject:Management HA;Audit Status:Incomplete;Additional Info:Type: automatic, xxx.;Operation
Number:24;lea_ip:10.116.28.209;
44 Synchronize
Peer
Agile CP Audit User Access, User Last Activity
<109>Aug 20 04:31:46 10.116.28.209 %CP_AUDIT: time:21Aug2006 0:04:41;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartDashboard;ObjectName:Secondary_Man agement;Operation:Synchronize
Peer;Administrator:fwadmin;Machine:Client2;Subject:Management HA;Audit Status:Success;Additional Info:Type: manual. ICA DB initialization.;Operation Number:24;lea_ip:10.116.28.209;
45 Synchronize
Peer
Agile CP Audit User Access, User Last Activity
<109>Aug 19 07:18:55 10.116.28.209 %CP_AUDIT: time:20Aug2006 2:51:49;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:Internal;ObjectName:Primary_Management;Op eration:Synchronized By Peer;Administrator:SmartCenter Server;Machine:localhost;Subject:Management HA;Audit Status:Success;Operation Number:25;lea_ip:10.116.28.209; 46 Synchronized by Peer
Agile CP Audit User Access, User Last Activity
<109>Aug 19 07:18:55 10.116.28.209 %CP_AUDIT: time:20Aug2006 2:51:49;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:Internal;ObjectName:Primary_Management;Op eration:Synchronized By Peer;Administrator:SmartCenter
Server;Machine:localhost;Subject:Management HA;Audit Status:Success;Operation Number:25;lea_ip:10.116.28.209;
47 Change to Active Agile CP Audit User Access,
User Last Activity
<109>Aug 19 07:18:55 10.116.28.209 %CP_AUDIT: time:20Aug2006 2:51:49;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartDashboard;ObjectName:Primary_Manag ement;Operation:Change to
Active;Administrator:fwadmin;Machine:Client2;Subject:Management HA;Audit Status:Success;Operation Number:26;lea_ip:10.116.28.209;
Event Type Agile/ Search Reports Event Category Reports Appears In
48 Change to
StandbyAgile
Agile CP Audit User Access, User Last Activity
109>Aug 19 07:18:55 10.116.28.209 %CP_AUDIT: time:20Aug2006 2:51:49;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/ f_name:;has_accounting:0;product:SmartDashboard;ObjectName:Primary_Manag ement;Operation:Change to Standby;Administrator:fwadmin;Machine:Client2;Subject:Management HA;Audit Status:Success;Operation Number:27;lea_ip:10.116.28.209; 49 Detect Active Server
Agile CP Audit User Access, User Last Activity
<109>Aug 19 07:18:55 10.116.28.209 %CP_AUDIT: time:20Aug2006 2:51:49;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:Internal;Operation:Detect Active
Server;Administrator:SmartCenter Server;Machine:localhost;Subject:Management HA;Audit Status:Success;Additional Info:xxx;Operation
Number:28;lea_ip:10.116.28.209;
50 Detect Active Server
Agile CP Audit User Access, User Last Activity
<109>Aug 19 07:18:55 10.116.28.209 %CP_AUDIT: time:20Aug2006 2:51:49;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:Internal;Operation:Detect Active
Server;Administrator:SmartCenter Server;Machine:localhost;Subject:Management HA;Audit Status:Failure;Additional Info:Multiple active management servers detected: Secondary_Management Primary_Management;Operation Number:28;lea_ip:10.116.28.209;
51 File Stored Agile CP Audit User Access,
User Last Activity
<109>Aug 19 07:18:55 10.116.28.209 %CP_AUDIT: time:20Aug2006 2:51:49;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartView Tracker;Operation:File Stored;Administrator:Admin;Machine:LL210;session_id:Eventia Analyzer Server;Subject:File Operation;Additional Info:sd_updates;Operation Number:32;lea_ip:10.116.28.209;
52 File Retrieved Agile CP Audit User Access,
User Last Activity
<109>Aug 19 07:18:55 10.116.28.209 %CP_AUDIT: time:20Aug2006 2:51:49;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartView Tracker;Operation:File
Retrieved;Administrator:Admin;Machine:LL210;Subject:File Operation;Additional Info:sd_updates;Operation Number:33;lea_ip:10.116.28.209;
53 Install Module Agile CP Audit User Access, User Last Activity
<109>Jul 13 13:54:45 10.1.100.22 %CP_AUDIT: time:13Jul2007 13:54:43;action:accept;orig:10.1.100.22;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartUpdate;ObjectName:logexpo;Operation:I nstall Module;Administartor:Admin;Machine:LL215;Subject:SmartUpdate Operation;Audit Status:Success;Operation Number:34;lea_ip:10.116.28.215;
54 Install Module Agile CP Audit User Access,
User Last Activity
<109>Jul 13 13:54:45 10.1.100.22 %CP_AUDIT: time:13Jul2007 13:54:43;action:accept;orig:10.1.100.22;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartUpdate;ObjectName:logexpo;Operation:I nstall Module;Administartor:Admin;Machine:LL215;Subject:SmartUpdate Operation;Audit Status:Failure;Operation Number:34;lea_ip:10.116.28.215;
55 Uninstall Module Agile CP Audit User Access,
User Last Activity
<109>Jul 13 13:54:45 10.1.100.22 %CP_AUDIT: time:13Jul2007 13:54:43;action:accept;orig:10.1.100.22;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartUpdate;ObjectName:logexpo;Operation:U ninstall Module;Administartor:Admin;Machine:LL215;Subject:SmartUpdate Operation;Audit Status:Success;Operation Number:35;lea_ip:10.116.28.215;
56 Uninstall Module Agile CP Audit User Access,
User Last Activity
<109>Jul 13 13:54:45 10.1.100.22 %CP_AUDIT: time:13Jul2007 13:54:43;action:accept;orig:10.1.100.22;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartUpdate;ObjectName:logexpo;Operation:U ninstall Module;Administartor:Admin;Machine:LL215;Subject:SmartUpdate Operation;Audit Status:Failure;Operation Number:35;lea_ip:10.116.28.215; Event Type Agile/
Search Reports Event Category Reports Appears In
Check Point Management Station Log Configuration Guide 29
57 Set Session
Description
Agile CP Audit User Access, User Last Activity
<109>Jul 13 13:54:45 10.1.100.22 %CP_AUDIT: time:13Jul2007 13:54:43;action:accept;orig:10.1.100.22;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:Eventia Analyzer Server;Operation:Set Session Description;Administrator:localhost;Machine:share-cpmodule1;session_id:Eventia Analyzer Server;Subject:Administrator Login;Additional Info:Eventia Analyzer Server;Operation Number:48;lea_ip:10.1.100.22;
58 Log Export Agile CP Audit User Access,
User Last Activity
<109>Aug 20 06:37:32 10.116.28.209 %CP_AUDIT: time:21Aug2006 2:10:27;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartView Tracker;Operation:Log
Export;Administrator:Admin;Machine:LL210;Subject:Logging;Additional Info:Audit file 'fw.adtlog' was exported to "C:\log.txt";Operation
Number:49;lea_ip:10.116.28.209;
59 Log Switch Agile CP Audit User Access, User Last Activity
<109>Aug 20 06:37:32 10.116.28.209 %CP_AUDIT: time:21Aug2006 2:10:27;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartView Tracker;Operation:Log
Switch;Administrator:Admin;Machine:LL210;Subject:Logging;Additional Info:Active log file was switched to 'xxx.log';Operation Number:50;lea_ip:10.116.28.209;
60 Log Purge Agile CP Audit User Access,
User Last Activity
<109>Aug 20 06:37:32 10.116.28.209 %CP_AUDIT: time:21Aug2006 2:10:27;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartView Tracker;Operation:Log
Purge;Administrator:Admin;Machine:LL210;Subject:Logging;Additional Info:Active log file was purged;Operation Number:51;lea_ip:10.116.28.209;
61 License violation
detected
Agile CP Audit User Access, User Last Activity
<109>Aug 19 08:35:22 10.116.28.209 %CP_AUDIT: time:20Aug2006 4:08:16;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartDashboard;ObjectName:xxx;ObjectType: xxx;ObjectTable:xxx;Operation:License Violation
Detected;Uid:xxx;Administrator:Admin;Machine:LL210;sesson_id:xxx;Subject:MDS Information;Audit Status:Success;Additional Info:xxx;Operation
Number:x;lea_ip:10.116.28.209;
62 Schedule Log
Export
Agile CP Audit User Access, User Last Activity
<109>Aug 19 08:35:22 10.116.28.209 %CP_AUDIT: time:20Aug2006 4:08:16;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartDashboard;ObjectName:xxx;ObjectType: xxx;ObjectTable:xxx;Operation:Schedule Log
Export;Uid:xxx;Administrator:Admin;Machine:LL210;sesson_id:xxx;Subject:Loggin g;Audit Status:Success;Additional Info:xxx;Operation
Number:x;lea_ip:10.116.28.209;
63 Schedule Log
Export
Agile CP Audit User Access, User Last Activity
<109>Aug 19 08:35:22 10.116.28.209 %CP_AUDIT: time:20Aug2006 4:08:16;action:accept;orig:10.116.28.209;i/f_dir:outbound;i/
f_name:;has_accounting:0;product:SmartDashboard;ObjectName:xxx;ObjectType: xxx;ObjectTable:xxx;Operation:Schedule Log
Export;Uid:xxx;Administrator:Admin;Machine:LL210;sesson_id:xxx;Subject:Loggin g;Audit Status:Failure;Additional Info:xxx;Operation
Number:x;lea_ip:10.116.28.209; Event Type Agile/
Search Reports Event Category Reports Appears In