https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36737#M361 <HTML><HEAD></HEAD><BODY><DIV class="" style="color: #212121; background-color: #ffffff; font-size: 0px; padding-top: 20px;"><PRE class="" data-fulltext="" data-placeholder="Translation" dir="ltr" style="color: #212121 !important; background-color: transparent; border: none; font-weight: normal !important; font-size: 16px !important; padding: 0px 0.14em 0px 0px;"><PRE class="" data-fulltext="" data-placeholder="Translation" dir="ltr" style="border: none; font-size: 25px !important; padding: 0px 0.14em 0px 0px;"><SPAN lang="zh-TW">大家好<BR /></SPAN>請原諒我可憐的中國人 - 我把一切都歸咎於谷歌翻譯 :smileyhappy:<BR />在一些elg文件中，每隔一行顯示為空的原因是elg文件報告兩個日誌文件。一行用於常規日誌，另一行用於審計日誌。<BR />每次重新啟動過程時，這些數字都會重置。<BR />因此，如果您最近剛剛啟動該流程並且未進行任何更改或安裝策略，則第二行將顯示零計數。<BR /><SPAN lang="zh-TW">P.P.S 我發現使用帶有-A -s0的tcpdump可以獲得更好的可讀性。它在ASCI而不是Hex中顯示它，它為您提供完整的日誌（-s0）。</SPAN></PRE><SPAN lang="zh-TW"><BR />Hello Everyone,<BR />Please forgive my poor Chinese - I blame everything on Google Translate :smileyhappy:<BR />The reason why every other line appears empty in some elg files is that the elg file reports on two log files. One line is for the regular logs, and the other is for the audit logs.<BR />These numbers reset every time you restart the process.<BR />So if you just started the process recently and haven't done any changes or installed policy, the second line will show a count of zero.<BR /><BR />P.S.<BR />Please let me know if my Chinese made any sense at all, or if it was gibberish. This is an interesting experiment :smileyhappy:<BR /><BR />P.P.S<BR />I find that using tcpdump with -A -s0 gives a better more readable result. It shows it in ASCI instead of Hex and it gives you the full log (-s0).<BR /><BR /></SPAN><BLOCKQUOTE class="jive_macro_quote jive-quote jive_text_macro"><SPAN lang="zh-TW">[Expert@MDS-72:0]# tcpdump -A -s0 -ni eth0 port 5149<BR />tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<BR />listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes<BR />17:48:36.836712 IP 192.168.32.72.36282 &gt; 1.1.1.1.5149: UDP, length 861<BR />E..y..@.@.T... H.........e'ZCEF:0|Check Point|VPN-1 &amp; FireWall-1|Check Point|Log|Accept|Unknown|start=1534344619 cef_src=10.32.91.190 cef_dst=111.221.29.254 layer_name=Network layer_name=Application match_id=2 match_id=16777219 parent_rule=0 parent_rule=0 rule_action=Accept rule_action=Accept rule_name=Network_Rule_One rule_name=Appi_Cleanup rule rule_uid=51419c04-5fc4-4263-8cca-e5d14f2dcf56 rule_uid=5440fb90-dd92-4e6a-8191-8957c279f3a9 action=Accept flags=840704 ifdir=outbound logid=0 loguid={0x5b743d92,0x0,0x5b20a8c0,0xc0000001} origin=192.168.32.91 originsicname=CN\=GW91,O\=Domain2_Server..cuggd3 sequencenum=7 version=5 __policy_id_tag=product\=VPN-1 &amp; FireWall-1[db_tag\={956DEC09-D89D-6C44-B44D-E8288E72D0EE};mgmt\=Domain2_Server;date\=1534058337;policy_name\=Standard] hll_key=1394967949574862819 product=VPN-1 &amp; FireWall-1 proto=6 s_port=64673 service=443 service_id=https <BR /></SPAN></BLOCKQUOTE><SPAN lang="zh-TW"><BR />(I'm not sure why the forum is adding the sideways scroll bar)<BR /><BR />HTH<BR /> Yonatan </SPAN></PRE><P><SPAN lang="zh-TW"></SPAN></P><P><SPAN lang="zh-TW">So if you just started the process recently and haven't done any changes or installed policy, the second line will show a count of zero.</SPAN></P><P><SPAN lang="zh-TW"></SPAN></P><P><SPAN lang="zh-TW"></SPAN></P><PRE class="" lang="zh-TW" style="color: #212121 !important; background-color: transparent; border: none; font-weight: normal !important; font-size: 16px !important; padding: 0px 0.14em 0px 0px;"></PRE></DIV><DIV class="" style="color: #545454 !important; background-color: #ffffff; font-size: 0px; margin-top: 5px;"> </DIV></BODY></HTML> Wed, 15 Aug 2018 14:44:25 GMT Yonatan_Philip 2018-08-15T14:44:25Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36716#M340 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 15px; font-family: arial, helvetica, sans-serif; color: #000000;">在R80.10/R77.30版本已經開始支援Logs Exporter功能，可以更加方便安全地將CP log匯出與第三方的SIEM/Log management進行整合。</SPAN></P><P></P><P><SPAN style="font-size: 15px; font-family: arial, helvetica, sans-serif; color: #000000;">Logs Exporter需基於R80.10 JFA take56/R77.30 JFA take292以上版本才能安裝，並支援幾種目前客戶端常見的SIEM產品包括ArcSight, Splunk,&nbsp;<SPAN style="background-color: #ffffff;">QRadar, RSA等。</SPAN></SPAN></P><P></P><P><SPAN style="background-color: #ffffff; color: #000000; font-size: 15px; font-family: arial, helvetica, sans-serif;">相關內容請參考<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk122323" style="color: #000000;">sk122323&nbsp;Logs Exporter - Check Point Logs Export</A></SPAN></P></BODY></HTML> Tue, 20 Mar 2018 15:18:53 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36716#M340 Danny_Yang 2018-03-20T15:18:53Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36717#M341 <HTML><HEAD></HEAD><BODY><P>歡迎各位多加利用並分享此工具的實務使用經驗喔!</P></BODY></HTML> Tue, 20 Mar 2018 15:26:45 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36717#M341 Danny_Yang 2018-03-20T15:26:45Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36718#M342 <HTML><HEAD></HEAD><BODY><P>才在想說要來CheckMates 跟大家說這個消息</P><P>原來Danny已經發佈了</P><P>還是原廠的訊息來的快來的準確...</P></BODY></HTML> Wed, 21 Mar 2018 14:54:15 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36718#M342 RickLin 2018-03-21T14:54:15Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36719#M343 <HTML><HEAD></HEAD><BODY><P><IMG alt="cp_log_export_real_sample" class="image-1 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/63994_cp_log_export_example.jpg" style="width: 620px; height: 230px;" /></P></BODY></HTML> Wed, 21 Mar 2018 16:38:58 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36719#M343 RickLin 2018-03-21T16:38:58Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36720#M344 <HTML><HEAD></HEAD><BODY><P>不出所料，Rick還是走在我們最前端的民間大神，才剛出就已經實際上線了，實在威猛!</P><P>期待您分享進一步的應用經驗。</P></BODY></HTML> Thu, 22 Mar 2018 01:14:05 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36720#M344 Danny_Yang 2018-03-22T01:14:05Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36721#M345 <HTML><HEAD></HEAD><BODY><P>Rick:</P><P>雖然它是Multi thread process,但還是需要看一下吃多少負載,你是在客戶端還是自己的LAB環境執行?</P></BODY></HTML> Thu, 22 Mar 2018 03:11:08 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36721#M345 Neville_Kuo 2018-03-22T03:11:08Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36722#M346 <HTML><HEAD></HEAD><BODY><P><IMG alt="" class="image-1 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/64003_log_exporter_loading.jpg" style="width: 620px; height: 290px;" /></P><P></P><P>這是我Real Customer的現狀，不是在Lab環境</P><P>給大家參考...</P></BODY></HTML> Thu, 22 Mar 2018 10:44:47 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36722#M346 RickLin 2018-03-22T10:44:47Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36723#M347 <HTML><HEAD></HEAD><BODY><P>看到了,這是一個有錢的客戶,謝謝喔。</P></BODY></HTML> Thu, 22 Mar 2018 10:52:30 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36723#M347 Neville_Kuo 2018-03-22T10:52:30Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36724#M348 <HTML><HEAD></HEAD><BODY><P>Hi Rick：</P><P>如果只要送SmartEvent，而且Severity=Critical / High到syslog server有什麼方式可以做呢？？？</P></BODY></HTML> Thu, 12 Apr 2018 01:41:52 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36724#M348 Webb_Huang 2018-04-12T01:41:52Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36725#M349 <HTML><HEAD></HEAD><BODY><P>Hello Webb,</P><P></P><P>這個Log Exporter只能把Log匯出，但是沒辦法做Filter。</P><P></P><P>如果你要做Filter，我建議在Syslog Server上面做，或是參考另外一個Syslog的Solution&nbsp; CPLogToSyslog (<SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">sk115392)</SPAN></P></BODY></HTML> Thu, 12 Apr 2018 03:46:33 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36725#M349 Sung-Lun_Yang1 2018-04-12T03:46:33Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36726#M350 <HTML><HEAD></HEAD><BODY><P class="">哪類型的log ?! IPS ?!</P><P class="">有沒有試著查一下SmartEvent Policy那邊的設定？</P><P class="">我覺得可以在SmartEvent Policy那邊，真對特定Event 指定特定的action ，例如搭配script的作法來試試看</P></BODY></HTML> Thu, 12 Apr 2018 05:19:26 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36726#M350 RickLin 2018-04-12T05:19:26Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36727#M351 <HTML><HEAD></HEAD><BODY><P>Hi Sung-Lun：</P><P>SK115392方式我有做，但Filter有點費時間，目前我改用Log Exporter，然後只做Threat Policy Log(Severity=critical / high)。&nbsp;</P></BODY></HTML> Thu, 12 Apr 2018 06:53:07 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36727#M351 Webb_Huang 2018-04-12T06:53:07Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36728#M352 <HTML><HEAD></HEAD><BODY><P>Hi Rick：</P><P>收了，放口帶備用。Thanks</P></BODY></HTML> Thu, 12 Apr 2018 06:54:06 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36728#M352 Webb_Huang 2018-04-12T06:54:06Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36729#M353 <HTML><HEAD></HEAD><BODY><P>Hi Webb</P><P>您客氣了，這論壇的意義也在幫助我們在Check Point在這麼多面向的、不同的領域，提供資訊交流的平台</P><P>人難免有時會遇到瓶頸或卡關的時候，我也常腦筋不靈光，我總是請教我同事Tony and George</P><P>討論之後，才想到有其他層次或面向我本來或當下沒考慮到的，藉由快速討論找出可以走出死胡同的路出來</P><P>如果有我能幫忙的，我都會幫忙，因為改天我也需要大家的經驗分享與協助. <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Thu, 12 Apr 2018 10:43:39 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36729#M353 RickLin 2018-04-12T10:43:39Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36730#M354 <HTML><HEAD></HEAD><BODY><P>謝謝Rick, 開臺灣自己CheckMates版就是希望能打破公司的藩籬，相互交流在CP產品支援的經驗!</P><P>我們很幸運，能擁有許多技術經驗都很棒的夥伴，也期望各位多多分享，勇於提問，讓這個版面成為臺灣自己的knowledge base!&nbsp;</P></BODY></HTML> Fri, 13 Apr 2018 02:12:22 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36730#M354 Danny_Yang 2018-04-13T02:12:22Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36731#M355 <HTML><HEAD></HEAD><BODY><P>請問, log exporter 啟動後, 我去查看 log_indexer.elg 有看到log訊息是 file read rate [log] : Current=29 Avg=336 MinAvg=11 Total=305861 buffers (0/0/0/0) , 下一行是&nbsp; Sent current : 0&nbsp; average : 0 total : 0 , 我的 log server 都沒有收到任何轉送過來的 log 。　請問，我要往那一方面去查看。我是r77.30有升級　Check_Point_R77_30_JUMBO_HF_1_Bundle_T302_FUL</P><P>name: tolog<BR /> status: Running (13179)<BR /> last log read at: 14 Aug 21:48:29<BR /> debug file: /opt/CPsuite-R77/fw1/log_exporter/targets/tolog/log/log_indexer.elg</P><P>[Expert@CAFA-4600:0]# cp_log_export show</P><P>name: tolog<BR /> enabled: true<BR /> target-server: 192.168.X.X (這ip我自己編的)<BR /> target-port: 514<BR /> protocol: udp<BR /> format: syslog</P></BODY></HTML> Tue, 14 Aug 2018 13:50:45 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36731#M355 DACHENG_SU 2018-08-14T13:50:45Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36732#M356 <HTML><HEAD></HEAD><BODY><P>我對你問的這個問題也沒什麼概念..</P><P>首先我會先想一下什麼是正常送log的時候 log_indexer.elg會顯示的紀錄</P><P>剛好我有一兩個現成的客戶有不斷的在傳送log的案例，我觀察了一下他們的 log_indexer.elg</P><P>我看到他們的log_indexer.elg都有你給的訊息<SPAN style="color: #333333; background-color: #ffffff;">Sent current : 0&nbsp; average : 0 total : 0<SPAN>&nbsp;</SPAN></SPAN></P><P><SPAN style="color: #333333; background-color: #ffffff;"><SPAN>所以看來這不能作為判斷事情的依據</SPAN></SPAN></P><P><SPAN style="color: #333333; background-color: #ffffff;"></SPAN></P><P><SPAN style="color: #333333; background-color: #ffffff;"><SPAN>後來我想一想，你要確認Management有沒有將log送出去</SPAN></SPAN></P><P><SPAN style="color: #333333; background-color: #ffffff;"><SPAN>事實上很簡單，最簡單的tcpdump command就能釐清是沒送出去，還是送出去後的問題</SPAN></SPAN></P><P><SPAN style="color: #333333; background-color: #ffffff;"><SPAN><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/68577_pastedImage_1.png" /></SPAN></SPAN></P></BODY></HTML> Tue, 14 Aug 2018 14:46:40 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36732#M356 RickLin 2018-08-14T14:46:40Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36733#M357 <HTML><HEAD></HEAD><BODY><P>確認一下syslog server 接收的格式, 印象在n-report中格式要設成cef, 若設成syslog 好像不會吃...</P><P></P><P>format: syslog (syslog|cef|leef|generic)</P><P></P><P>cp_log_export也調整一下format, 如 cef 試看看</P></BODY></HTML> Wed, 15 Aug 2018 02:46:41 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36733#M357 Jarvis_Lin1 2018-08-15T02:46:41Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36734#M358 <HTML><HEAD></HEAD><BODY><P>除了用tcpdump -i interface證明有送封包出去以外（通常不會有沒送出去的問題）</P><P>剩下的，如Jarvis所說的，接收方如果有收到資料後，如果格式不對，也會影響結果</P><P>format的value就那四種，不確定哪一種換一下測試一下就知道了..</P></BODY></HTML> Wed, 15 Aug 2018 03:16:24 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36734#M358 RickLin 2018-08-15T03:16:24Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36735#M359 <HTML><HEAD></HEAD><BODY><P>謝謝, 已經可以了, 我有用 rick 你提供的 tcpdump 去查看, 發現我有在送 syslog , 所以我再去查內網防火牆的 policy , 發現是policy 的問題, 因為我把 policy 砍掉用新增的方式去設定 policy 就好了, 先前我在內網policy 是用 clone 方式去修改policy的目的伺服器及port, 發現這樣 policy 沒有作用, 因為我一直在看內網防火牆沒有任何流量進來, 我以為是 checkpoint的cp_log_export 沒有作用. 感謝 rick 你提供的 tcpdump 方式。</P></BODY></HTML> Wed, 15 Aug 2018 07:18:56 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Logs-Exporter%E6%AD%A3%E5%BC%8F%E6%8E%A8%E5%87%BA-%E5%88%A5%E5%86%8D%E7%85%A9%E6%83%B1log%E5%8C%AF%E5%87%BA%E5%95%8F%E9%A1%8C/m-p/36735#M359 DACHENG_SU 2018-08-15T07:18:56Z