topic LogExporter Regex based filtering in Firewall and Security Management https://community.checkpoint.com/t5/Firewall-and-Security-Management/LogExporter-Regex-based-filtering/m-p/146694#M72244 <P>Hi,</P><P>&nbsp;</P><P>I checked various sources of information regarding LogExporter, like&nbsp;sk122323.</P><P>Customer is running R80.40, and send logs to a SIEM.</P><P>We want to limit the amount of logs send to SIEM by use of LogExporter filtering</P><P>&nbsp;</P><P>I want to exclude all logs from internal 10.x.x.x host and networks to internal servers also with 10.x.x.x regarding dhcp and dns via filters.</P><P>Can regex be used?</P><P>&nbsp;</P><P>For DNS I think of a filter like:</P><P>&lt;filterGroup operator="and"&gt;<BR />&lt;field name="src" operator="and"&gt;<BR />&lt;value operation="neq"&gt;10."\d{3}\.\d{3}\.\d{3}"&lt;/value&gt;<BR />&lt;/field&gt;<BR />&lt;field name="dst" operator="and"&gt;<BR />&lt;value operation="neq"&gt;10."\d{3}\.\d{3}\.\d{3}"&lt;/value&gt;<BR />&lt;/field&gt;<BR />&lt;field name="port" operator="and"&gt;<BR />&lt;value operation="neq"&gt;53&lt;/value&gt;<BR />&lt;/field&gt;<BR />&lt;/filterGroup&gt;</P><P>&nbsp;</P><P>For DHCP</P><P>&lt;filterGroup operator="or"&gt;<BR />&lt;field name="port" operator="or"&gt;<BR />&lt;value operation="neq"&gt;67&lt;/value&gt;<BR />&lt;field name="port" operator="or"&gt;<BR />&lt;value operation="neq"&gt;68&lt;/value&gt;<BR />&lt;/field&gt;<BR />&lt;/filterGroup&gt;</P><P>&nbsp;</P><P>Any help is welcome.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Frans</P> Thu, 21 Apr 2022 11:17:13 GMT fransmoonen 2022-04-21T11:17:13Z LogExporter Regex based filtering https://community.checkpoint.com/t5/Firewall-and-Security-Management/LogExporter-Regex-based-filtering/m-p/146694#M72244 <P>Hi,</P><P>&nbsp;</P><P>I checked various sources of information regarding LogExporter, like&nbsp;sk122323.</P><P>Customer is running R80.40, and send logs to a SIEM.</P><P>We want to limit the amount of logs send to SIEM by use of LogExporter filtering</P><P>&nbsp;</P><P>I want to exclude all logs from internal 10.x.x.x host and networks to internal servers also with 10.x.x.x regarding dhcp and dns via filters.</P><P>Can regex be used?</P><P>&nbsp;</P><P>For DNS I think of a filter like:</P><P>&lt;filterGroup operator="and"&gt;<BR />&lt;field name="src" operator="and"&gt;<BR />&lt;value operation="neq"&gt;10."\d{3}\.\d{3}\.\d{3}"&lt;/value&gt;<BR />&lt;/field&gt;<BR />&lt;field name="dst" operator="and"&gt;<BR />&lt;value operation="neq"&gt;10."\d{3}\.\d{3}\.\d{3}"&lt;/value&gt;<BR />&lt;/field&gt;<BR />&lt;field name="port" operator="and"&gt;<BR />&lt;value operation="neq"&gt;53&lt;/value&gt;<BR />&lt;/field&gt;<BR />&lt;/filterGroup&gt;</P><P>&nbsp;</P><P>For DHCP</P><P>&lt;filterGroup operator="or"&gt;<BR />&lt;field name="port" operator="or"&gt;<BR />&lt;value operation="neq"&gt;67&lt;/value&gt;<BR />&lt;field name="port" operator="or"&gt;<BR />&lt;value operation="neq"&gt;68&lt;/value&gt;<BR />&lt;/field&gt;<BR />&lt;/filterGroup&gt;</P><P>&nbsp;</P><P>Any help is welcome.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Frans</P> Thu, 21 Apr 2022 11:17:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/LogExporter-Regex-based-filtering/m-p/146694#M72244 fransmoonen 2022-04-21T11:17:13Z Re: LogExporter Regex based filtering https://community.checkpoint.com/t5/Firewall-and-Security-Management/LogExporter-Regex-based-filtering/m-p/146912#M72245 <P>Pretty sure regex cannot be used and this is an RFE.<BR />Recommend reaching out to your local office with this requirement.</P> Sun, 24 Apr 2022 04:04:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/LogExporter-Regex-based-filtering/m-p/146912#M72245 PhoneBoy 2022-04-24T04:04:21Z