https://community.checkpoint.com/t5/General-Topics/Action-Field-in-IPS-Logs-via-Log-Exporter/m-p/139090#M24766 <P>Thanks for the reply.. where can i find this table which you referred to ?&nbsp;</P> Fri, 21 Jan 2022 13:24:48 GMT LostBoY 2022-01-21T13:24:48Z https://community.checkpoint.com/t5/General-Topics/Action-Field-in-IPS-Logs-via-Log-Exporter/m-p/138332#M24648 <P>I have integrated my R80.40 Mgmt Server with Datadog SIEM.. in the IPS logs few key fields are missing such as Destination and Action.. i understand Destination field is not present by design as described in sk<SPAN>sk136672.</SPAN></P><P>However.. i am not sure if this is the case for "Action" field as well..&nbsp; i am exporting raw logs via log exporter..</P><P>is there any specific setting to be enabled to get Action field or is this also a product limitation.</P><P>&nbsp;</P><P>Thanks</P> Thu, 13 Jan 2022 09:58:11 GMT https://community.checkpoint.com/t5/General-Topics/Action-Field-in-IPS-Logs-via-Log-Exporter/m-p/138332#M24648 LostBoY 2022-01-13T09:58:11Z https://community.checkpoint.com/t5/General-Topics/Action-Field-in-IPS-Logs-via-Log-Exporter/m-p/138336#M24649 <P><SPAN>The&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk122323&amp;partition=Basic&amp;product=SmartEvent" target="_blank">sk122323: <STRONG>Log</STRONG> <STRONG>Exporter</STRONG> - Check Point <STRONG>Log</STRONG> Export</A>&nbsp;suggests: For information on Check Point's Log Fields Mapping, refer to </SPAN><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk144192" target="_blank" rel="noopener">sk144192</A><SPAN>. Here we can find the action field listed for <STRONG>Common Fields</STRONG> exported:</SPAN></P> <TABLE id="Unique_IDTable" class="footnote" border="1" cellspacing="2" cellpadding="4"> <TBODY> <TR> <TD>rule_action</TD> <TD>Action</TD> <TD>string&nbsp;</TD> <TD>Action of the matched rule in the access policy</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Also for the blades&nbsp;<STRONG>Threat&nbsp;Extraction - Security Gateway &amp; SandBlast Agent&nbsp;</STRONG>and&nbsp;<STRONG>Unified Policy (VPN-1 &amp; FireWall-1) -&nbsp;Security Gateway:</STRONG></P> <TABLE id="Unique_IDTable" class="footnote" border="1" cellspacing="2" cellpadding="4"> <TBODY> <TR> <TD>action</TD> <TD>Action</TD> <TD>int</TD> <TD> <P>Action of matched rule<BR />Possible values:<BR />0 - Drop<BR />1 - Reject<BR />2 - Accept<BR />3 - Encrypt<BR />4 - Decrypt<BR />17 - Authorize<BR />18 - Deauthorize<BR />30 - Bypass<BR />33 - Block<BR />34 - Detect<BR />39 - Do not send<BR />43 - Allow<BR />46 - Ask User<BR />61 - Extract<BR /><BR />Note: This field is not mandatory to every log&nbsp;</P> </TD> <TD>&nbsp;</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>But there is no action field listed for Blade&nbsp;<STRONG>IPS&nbsp;</STRONG><STRONG><SPAN>&nbsp;</SPAN>(SmartDefense) -&nbsp;Security Gateway !</STRONG></P> Thu, 13 Jan 2022 10:45:17 GMT https://community.checkpoint.com/t5/General-Topics/Action-Field-in-IPS-Logs-via-Log-Exporter/m-p/138336#M24649 G_W_Albrecht 2022-01-13T10:45:17Z https://community.checkpoint.com/t5/General-Topics/Action-Field-in-IPS-Logs-via-Log-Exporter/m-p/139090#M24766 <P>Thanks for the reply.. where can i find this table which you referred to ?&nbsp;</P> Fri, 21 Jan 2022 13:24:48 GMT https://community.checkpoint.com/t5/General-Topics/Action-Field-in-IPS-Logs-via-Log-Exporter/m-p/139090#M24766 LostBoY 2022-01-21T13:24:48Z