This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
LostBoY
Advisor
‎2022-01-13 01:58 AM

Action Field in IPS Logs via Log Exporter

I have integrated my R80.40 Mgmt Server with Datadog SIEM.. in the IPS logs few key fields are missing such as Destination and Action.. i understand Destination field is not present by design as described in sksk136672.

However.. i am not sure if this is the case for "Action" field as well..  i am exporting raw logs via log exporter..

is there any specific setting to be enabled to get Action field or is this also a product limitation.

 

Thanks

0 Kudos
2 Replies
G_W_Albrecht
Legend
Legend
‎2022-01-13 02:45 AM

The sk122323: Log Exporter - Check Point Log Export suggests: For information on Check Point's Log Fields Mapping, refer to sk144192. Here we can find the action field listed for Common Fields exported:

rule_action Action string  Action of the matched rule in the access policy

 

Also for the blades Threat Extraction - Security Gateway & SandBlast Agent and Unified Policy (VPN-1 & FireWall-1) - Security Gateway:

action Action int

Action of matched rule
Possible values:
0 - Drop
1 - Reject
2 - Accept
3 - Encrypt
4 - Decrypt
17 - Authorize
18 - Deauthorize
30 - Bypass
33 - Block
34 - Detect
39 - Do not send
43 - Allow
46 - Ask User
61 - Extract

Note: This field is not mandatory to every log 

  

 

But there is no action field listed for Blade IPS  (SmartDefense) - Security Gateway !

CCSE CCTE SMB Specialist
LostBoY
Advisor
‎2022-01-21 05:24 AM
In response to G_W_Albrecht

Thanks for the reply.. where can i find this table which you referred to ? 

0 Kudos
Labels