This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Joe_Matthews
Participant
‎2021-06-02 08:59 AM
Jump to solution

log exporter filterconfiguration

Hello.  I am wondering if anyone has experience in working with the filterconfiguration.xml file.  We are trying to filter out so we get all logs for certain blades and then only logs with certain severity for other blades.  We would like all Identity Awareness, Content, Application Control and URL filtering.  Then severity 3 or 4 for Threat, AV, IPS, etc.  Below is the config we are trying to use but as soon as we put in the severity we get almost no logs for any blades. I suspect that is because it is applying severity to the other blades which do not have that field.  Do we need to put the severity field under each blade that we want only those severity levels? 

 

<filters>
        <filterGroup operator="and">
                <field name="action" operator="and">
                </field>
                <field name="origin" operator="and">
                </field>
                <field name="product" operator="or">
                        <value operation="eq">Identity Awareness</value>
                        <value operation="eq">Content Awareness</value>
                        <value operation="eq">Application Control</value>
                        <value operation="eq">URL Filtering</value>
                </field>
                <field name="product" operator="or">
                        <value operation="eq">Anti-Bot</value>
                        <value operation="eq">Anti Malware</value>
                        <value operation="eq">IPS</value>
                        <value operation="eq">IPS-1</value>
                        <value operation="eq">SmartDefense</value>
                        <value operation="eq">Anti-Virus</value>
                        <value operation="eq">New Anti Virus</value>
                        <value operation="eq">Anti Virus</value>
                        <value operation="eq">Threat Extraction</value>
                </field>
                <field name="severity" operator="and">
                        <value operation="eq">3</value>
                        <value operation="eq">4</value>
                </field>
        </filterGroup>
</filters>

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-06-04 03:27 PM
Jump to solution

Edited your original post for clarity.
I don't think this will match anything:

                <field name="severity" operator="and">
                        <value operation="eq">3</value>
                        <value operation="eq">4</value>
                </field>

 

It should be an operator="or" in this case, at least if I'm understanding sk122323 correctly.
Also, everything in the filterGroup must match (e.g. product = X AND severity = Y).

That basically means you'll need to create two different filterGroups (one with the blades you want to send based on priority and one with the blades you want to send irrespective of priority).
Whether you can put that in one filterConfiguration.xml or you'll need to configure a second export to the same server with the other filterConfiguration, I'm not sure. 

View solution in original post

(1)
7 Replies
PhoneBoy
Admin
Admin
‎2021-06-04 03:27 PM
Jump to solution

Edited your original post for clarity.
I don't think this will match anything:

                <field name="severity" operator="and">
                        <value operation="eq">3</value>
                        <value operation="eq">4</value>
                </field>

 

It should be an operator="or" in this case, at least if I'm understanding sk122323 correctly.
Also, everything in the filterGroup must match (e.g. product = X AND severity = Y).

That basically means you'll need to create two different filterGroups (one with the blades you want to send based on priority and one with the blades you want to send irrespective of priority).
Whether you can put that in one filterConfiguration.xml or you'll need to configure a second export to the same server with the other filterConfiguration, I'm not sure. 

(1)
Ravoth
Participant
‎2022-08-02 08:55 PM
In response to PhoneBoy
Jump to solution

Hello @PhoneBoy

 

Thank you for your sharing, I am facing an issue regarding the audit log from the smart console by using Log Exporter. Could you help to provide more statements to filter the audit log?

 

Best Regards,

Ravoth

Ravoth
0 Kudos
AaronCP
Advisor
Advisor
‎2022-08-03 06:03 AM
In response to Ravoth
Jump to solution

Hey @Ravoth,

 

I am forwarding audit logs from our Management Server (shows SmartConsole logins, Web API logins, policy installations, etc) using the following config on the Mgmt:

 

cp_log_export add name auditlogs.mgmt target-server x.x.x.x target-port 12214 protocol tcp format cef
cp_log_export set name auditlogs.mgmt filter-origin-in "x.x.x.x"

Ravoth
Participant
‎2022-08-07 07:06 PM
In response to AaronCP
Jump to solution

Hi @AaronCP ,

 

How about command line to filter log, which place that we set in?

Ravoth
0 Kudos
AaronCP
Advisor
Advisor
‎2022-08-11 12:27 AM
In response to Ravoth
Jump to solution

Hey @Ravoth,

 

I'm pretty sure you would need to use the FieldsMapping.xml to specifically filter the logs you want.

 

SK122323 gives a detailed explanation of the filtering capabilities in Log Exporter. Also, SK144192 gives a list of fields in the Check Point logs (including Management Server).

0 Kudos
omidrajaee
Explorer
‎2022-12-06 11:49 AM
Jump to solution

Hello, How I can find out which product should I use do I need all or only smart defense is enough? I used Confidence level as well but I am not getting unknow logs which I had before edit the xml file

0 Kudos
PhoneBoy
Admin
Admin
‎2022-12-06 01:28 PM
In response to omidrajaee
Jump to solution

Depends on what products you have…and what products you want logs sent on.
IPS is somewhat unique in that some protections still show up as SmartDefense (legacy name for IPS-type functionality).
Best to look at the log entries you for sure want and make sure you account for them in the filter configuration.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events