This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sanchez
Participant
‎2020-03-03 01:57 AM

Customized Cef mapping

How can the mappings in cef be customized according to my requirement? I tried changes in $EXPORTDIR/conf/CefFieldsMapping.xml.
Also I tried changing the target fieldmapping.But the changes do not reflect even after I restart cp_log_export. 
What can be the solution to the problem

0 Kudos
12 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-03-03 04:42 AM

I would suggest asking TAC !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
sanchez
Participant
‎2020-03-03 07:15 PM
In response to G_W_Albrecht

Is there no provision for customization of mapping than at user level?
Is it only possible to map the logs after arriving at third party application?

 

PhoneBoy
Admin
Admin
‎2020-03-03 07:12 PM

What were the precise changes you tried to make?
sanchez
Participant
‎2020-03-03 07:20 PM
In response to PhoneBoy

For eg: I was trying to rename the field rt as log_ts; and have need to customize some other fields too.
I tried changes in field mapping within targets' field mapping. Also I tried changes at conf cef field mappings but to no avail. 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-03 07:45 PM
In response to sanchez

What I meant was: precisely what modifications did you try to make to the file?
Can you share a snippet?
0 Kudos
sanchez
Participant
‎2020-03-03 07:48 PM
In response to PhoneBoy

i tried adding a additional mapping which would convert rt into log_ts

Preview file
318 KB
sanchez
Participant
‎2020-03-03 08:10 PM
In response to PhoneBoy

Screen Shot 2020-03-04 at 9.32.23 AM.png

0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-03 08:57 PM
In response to sanchez

@Dan_Zada any comment here?

0 Kudos
sanchez
Participant
‎2020-03-05 08:01 PM
In response to PhoneBoy

Any reply here ?? I am out on a limb here.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-05 08:24 PM
In response to sanchez

If it's urgent I recommend opening a TAC case.
0 Kudos
sanchez
Participant
‎2020-03-06 12:47 AM
In response to PhoneBoy

It is not that urgent. Its just for educational purpose and interest in the Checkpoint. I can wait, but eager to know why it is not working is all. 😄

 

0 Kudos
Shay_Hibah
Employee Alumnus
Employee Alumnus
‎2020-03-10 09:37 AM
In response to sanchez

Hi @sanchez 

My name is Shay and I will try to help you with this case.

A bit information about Log Exporter files:

Under log_exporter main directory ($EXPORTERDIR) you will find conf dir where all configuration files exist.

This files are the default files and should not being changed at all.

The reason is because these files are copied to every new log exporter instance you create.

Once a new log exporter instance is created, a new dir for this exporter is created under $EXPORTERDIR/targets/<exporter_name>.

For each exporter instance, you can find conf directory where all configuration files are copied to (the default files).

Any change should be done on these files (the relevant files) in this specific scope.

 

Now to your issue 🙂

You want to change the mapping of your exporter in order to add 3 more fields.

Since you are using CEF format, go to your exporter's conf directory ($EXPORTERDIR/targets/<exporter_name>/conf) and look for file named CefFieldsMapping.xml.

Backup this file before any changes.

Modify this file by adding the new 3 fields (make sure to add them under <fields> tag):

<field><origName>src</origName><dstName>cef_src</dstName></field>
<field><origName>rt</origName><dstName>log_ts</dstName></field>
<field><origName>dst</origName><dstName>cef_dst</dstName></field>

 I'm not sure about rt since rt is already dstName of time field. in case you need to map it, you should do this using time field (an example can be seen on the file itself).

 

After these changes, you need to restart the exporter in order to reload this configuration by running cp_log_export restart name <exporter_name>

 

Please let me know if you need any additional help.

Regards,

Shay

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 02 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Aarhus
    In-Person

    Wed 03 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Copenhagen
    In-Person

    Fri 12 Jun 2026 @ 09:00 AM (CEST)

    Netzwerk- & Cloud-Workshop: Wien
    In-Person

    Tue 16 Jun 2026 @ 08:00 AM (EDT)

    Montreal: P’tits déj Cyber! | Cyber Breakfasts!
    CheckMates Events