Log Exporter filter for VPN logins

azientak — Mon, 22 Feb 2021 23:17:52 GMT

Hi Experts,

I have a customer that would like to create a filter using log exporter to export all Mobile access Logins to a syslog server on a SIEM platform.

Currently we have tried this filter, however it does not catch logins:

<filters>
<filterGroup operator="and">
<field name="action" operator="or”>
</field>
<field name="origin" operator="and">
</field>
<field name="product" operator="or">
<value operation="eq">Mobile Access</value>
</field>
<field name="user" operator="and">
</field>
<field name="source" operator="and">
</field>
</filterGroup>
</filters>

Can anyone assist with a filter that can catch mobile access connections/logins?

Re: Log Exporter filter for VPN logins

RS_Daniel — Mon, 27 Sep 2021 18:40:20 GMT

Hello,

In case you did not find a way to catch these logs, i put here how we did it.

Created a mappingConfiguration file defining a couple fields that appear only on our vpn login logs and defined both fields as requiered, in this way only logs that contain these two fields are exported. You do not need to change "exportAllFields" setting, leave it as true, in this way all the information inside these logs will be sent. Do not forget to reference this mapping file on "<mappingConfiguration>" setting. We used fields "os_name" and "session_uid", xml file looked like this, you can use as many as you want if need to be more specific.

<?xml version="1.0" encoding="utf-8"?>
<fields>
<field>
<origName>os_name</origName>
<exported>true</exported>
<required>true</required>
</field>
<field>
<origName>session_uid</origName>
<exported>true</exported>
<required>true</required>
</field>
</fields>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

topic Re: Log Exporter filter for VPN logins in General Topics

Log Exporter filter for VPN logins

Re: Log Exporter filter for VPN logins