How to filter and export Next Generation Firewall logs
in Security Management Center.
In this video we will take a look at following topics:
Logs view in Management Client
Adding filter by dragging and dropping
Creating filter selecting existing element
Creating filter based on log field
Using predefined new filter options
Adding several filters and combining them
Exporting log events
Log filtering and exporting is done SMC logs view.
To access logs view, click Logs button
on the Management Client.
This will open logs view that shows
the logs from all the NGFW engines.
If you want to see logs from specific NGFW,
you can right-click the NGFW engine in question
and select Monitoring, Logs by Sender.
This opens logs view so that engine is selected
on Senders tab of the Query panel.
At the top of the Query panel,
you'll see drop-down Menu,
which by default is set to Security Engine.
This will show all the NGFW engine logs.
The drop-down menu allows you to select
types of logs like VPN, File Filtering and Audit.
Note how default log fields shown
differ per log type selection.
As an example audit logs show administrator actions
and thus field selection is different from traffic logs.
These logs are also generated mostly
by Management Server and thus,
when specific engine was selected as sender,
no entries were shown.
The easiest way to create a log filter is
to drag and drop value from log entry
to Filter tab on Query panel and apply the filter.
You can change the value of the filter
by right-clicking the filter and selecting properties.
Then change the value to one you want to filter on
and click Apply buttons to update the filter.
The second option is to right-click the filter section
on the query tab and click Select.
This opens new window listing all the elements
that can be added as filter.
To see, for example, all the HTTPS connections,
select Services, TCP and HTTPS.
And remember to apply the filter.
To remove or disable filter,
right-click the filter entry
and select Remove or Disable
from the contextual menu.
You can also negate the filter
by enabling Negate row checkbox.
The log filter Select window can also
be used for selecting log field to filter on.
Right-click again on the Filter tab,
choose Select and click Fields
on the Select Filter window.
You will see log fields categorized based
on log types and features,
and can then find the exact field
you want to filter on.
As an example, let's filter logs based on URL field.
To find URL field, I'll click All Fields
and type url to have type-ahead search
show all the matching fields.
Then select URL field and click Select button.
To define the filter,
right-click and select Properties.
On the Comparison options in means exact match,
while two like options allow using wildcard searches.
Let's find, for example, log entries
where URL field includes string google
by changing Comparison to like (case insensitive)
and using search string *google*.
Then click apply twice to get new filter applied.
If the URL field isn't shown,
right-click one of the field titles
and choose Column Selection
from the contextual menu.
Then find URL field from All Fields
and add it by dragging and dropping
to Columns to display box at desired position.
One more way to create filter is to choose
one of the predefined new filter selections
by right clicking filter box
and selecting new and one of these options:
Situation filter is matched to
deep inspection situations.
IP address is matched to IP address
on all the log fields that has IP address value.
Src Addr is matched to source IP address field.
Dst Addr to destination IP address field.
String can be used for matching log fields
that use character strength like
Information Message field.
SMC logs view allows adding several filters.
As an example, I will add filter
to match all HTTPS connections
and another filter to match two IPv4 addresses
help.forcepoint.com resolves to.
You can also combine filters.
If I want to see all entries,
where specific IP address is in
either source or destination field,
I can add Src Addr and Dst Addr
filter for the address.
However, no results will be found
when I apply this filter
as AND operand is used.
In other words, both source and destination IP
would need to be same address
in the single log entry.
What I can do is to select both filters,
right-click and select Combine Filters.
Then open the combined filter,
right-click AND operand
and select Change to OR.
When I now apply the filter,
it'll match if either source
or destination address is the one defined.
This is useful, for example, when troubleshooting
the reason for Not a (valid) SYN packet
log entries as those can be
generated for packets sent in either direction.
You can create very complex filters in SMC
to match exactly what you wish to see.
In this example, I have created filter
that matches specific IP address
either on source or destination address field,
Action is either Discard or Allow
and service is either HTTP or HTTPS.
When you have filtered log view to show
relevant log entries and want to export logs,
right-click one of the entries
and select Export, Export Log Events.
The file export format selection
includes several options you can choose
to meet your requirements.
If you are exporting logs to provide them
to Forcepoint technical support,
select Export Archive ZIP option.
This will export logs to ZIP file
in SMC original format,
which can be viewed
with any Management Client.
On Export selection you have option
to include selected logs or filtered logs.
Then define also where file will be saved.
Server ('export' Directory) option
will save log export to the log serve disk,
while Local Workstation option
allows saving log export to computer,
where you use Management Client.
Once ready, click OK to start the export
and in few seconds
logs should get exported to a file.
You will also see the progress
in Task Status pane.
This concludes the video.
Thank you for watching.
