Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LostBoY
Advisor

Action Field in IPS Logs via Log Exporter

I have integrated my R80.40 Mgmt Server with Datadog SIEM.. in the IPS logs few key fields are missing such as Destination and Action.. i understand Destination field is not present by design as described in sksk136672.

However.. i am not sure if this is the case for "Action" field as well..  i am exporting raw logs via log exporter..

is there any specific setting to be enabled to get Action field or is this also a product limitation.

 

Thanks

0 Kudos
2 Replies
G_W_Albrecht
Legend
Legend

The sk122323: Log Exporter - Check Point Log Export suggests: For information on Check Point's Log Fields Mapping, refer to sk144192. Here we can find the action field listed for Common Fields exported:

rule_action Action string  Action of the matched rule in the access policy

 

Also for the blades Threat Extraction - Security Gateway & SandBlast Agent and Unified Policy (VPN-1 & FireWall-1) - Security Gateway:

action Action int

Action of matched rule
Possible values:
0 - Drop
1 - Reject
2 - Accept
3 - Encrypt
4 - Decrypt
17 - Authorize
18 - Deauthorize
30 - Bypass
33 - Block
34 - Detect
39 - Do not send
43 - Allow
46 - Ask User
61 - Extract

Note: This field is not mandatory to every log 

 

 

But there is no action field listed for Blade IPS  (SmartDefense) - Security Gateway !

CCSE CCTE CCSM SMB Specialist
LostBoY
Advisor

Thanks for the reply.. where can i find this table which you referred to ? 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events