Communication issues with certain log servers-checkpoint-gaia,secureplatform

error
health-checks
checkpoint
gaiasecureplatform
Communication issues with certain log servers-checkpoint-gaia,secureplatform
0

#1

Communication issues with certain log servers-checkpoint-gaia,secureplatform

Vendor: checkpoint

OS: gaia,secureplatform

Description:
indeni will alert if any of the log servers a device is set to send logs to is not communicating.

Remediation Steps:
Review the possible cause for this.
Read https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk40090

How does this work?
By checking which connection the device currently has on port 257, and comparing that with the log servers configured it is possible to see if the device has a connection to the log server or not.

Why is this important?
It is useful for logs to be sent from devices to a central log storage. If the device has lost communication with the log server, it could begin logging locally instead. Some logs may be lost and the device’s own storage may fill up.

Without Indeni how would you find this?
An administrator could login and manually run the command.

log-server-connected

#! META
name: log-server-connected
description: Check if there is a connection to each configured log server
type: monitoring
monitoring_interval: 5 minutes
requires:
    vendor: "checkpoint"
    role-firewall: "true"
    or:
        -
            os.name: "gaia"
        -
            os.name: "secureplatform"

#! COMMENTS
log-server-communicating:
    why: |
        It is useful for logs to be sent from devices to a central log storage. If the device has lost communication with the log server, it could begin logging locally instead. Some logs may be lost and the device's own storage may fill up.
    how: |
        By checking which connection the device currently has on port 257, and comparing that with the log servers configured it is possible to see if the device has a connection to the log server or not.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        There is no alert when a device has lost connection with the log server. Most of the cases it is only noticed when trying to view logs and discovering that logs from one or more devices is missing.

#! REMOTE::SSH
${nice-path} -n 15 cpstat fw -f log_connection

#! PARSER::AWK

BEGIN {
	logserverList = 0
	FS = "|"
}


#|IP            |Status|Status Description          |
/^\|IP/ {
	logserverList = 1
	next
}

#|192.168.197.30|     0|Log-Server Connected        |
#|192.168.197.31|     2|Backup Log-Server Not Active|
#|192.168.197.30|     1|Log-Server Disconnected    |
#|192.168.197.31|     0|Backup Log-Server Connected|
logserverList == 1 {
	# Do not run for lines with "---------------------"
	if (NF > 2) {
		ip = trim($2)
		status = trim($3)

		# Convert state
		if (status == 0 || status == 2) {
			state = 1
		} else {
			state = 0
		}

		logserverConnArr[ip] = state
	}
}



END {
	for (ip in logserverConnArr) {
		tags["ip"] = ip
		writeDoubleMetric("log-server-communicating", tags, "gauge", 300, logserverConnArr[ip])
	}
}

cross_vendor_log_servers_not_communicating

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.ruleengine.expressions.conditions.EndsWithRepetition
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.{ConditionalRemediationSteps, StateDownTemplateRule}
import com.indeni.apidata.time.TimeSpan

/**
  *
  */
case class cross_vendor_log_servers_not_communicating(context: RuleContext) extends StateDownTemplateRule(context,
  ruleName = "cross_vendor_log_servers_not_communicating",
  historyLength = 2,
  ruleFriendlyName = "All Devices: Communication issues with certain log servers",
  ruleDescription = "indeni will alert if any of the log servers a device is set to send logs to is not communicating.",
  metricName = "log-server-communicating",
  applicableMetricTag = "name",
  alertItemsHeader = "Log Servers Affected",
  alertDescription = "One or more logging servers are not communicating.\n\nThis alert was added per the request of <a target=\"_blank\" href=\"http://www.linkedin.com/pub/roop-sukhavasi/3/96/b8b\">Roop Sukhavasi</a> (NYSE).",
  baseRemediationText = "Review the possible cause for this.")(
  ConditionalRemediationSteps.VENDOR_CP -> "Read https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk40090"
)