Log Exporter filter for VPN logins

azientak · ‎2021-02-22

Hi Experts,

I have a customer that would like to create a filter using log exporter to export all Mobile access Logins to a syslog server on a SIEM platform.

Currently we have tried this filter, however it does not catch logins:

<filters>
<filterGroup operator="and">
<field name="action" operator="or”>
</field>
<field name="origin" operator="and">
</field>
<field name="product" operator="or">
<value operation="eq">Mobile Access</value>
</field>
<field name="user" operator="and">
</field>
<field name="source" operator="and">
</field>
</filterGroup>
</filters>

Can anyone assist with a filter that can catch mobile access connections/logins?

RS_Daniel · ‎2021-09-27

Hello,

In case you did not find a way to catch these logs, i put here how we did it.

Created a mappingConfiguration file defining a couple fields that appear only on our vpn login logs and defined both fields as requiered, in this way only logs that contain these two fields are exported. You do not need to change "exportAllFields" setting, leave it as true, in this way all the information inside these logs will be sent. Do not forget to reference this mapping file on "<mappingConfiguration>" setting. We used fields "os_name" and "session_uid", xml file looked like this, you can use as many as you want if need to be more specific.

<?xml version="1.0" encoding="utf-8"?>
<fields>
<field>
<origName>os_name</origName>
<exported>true</exported>
<required>true</required>
</field>
<field>
<origName>session_uid</origName>
<exported>true</exported>
<required>true</required>
</field>
</fields>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Are you a member of CheckMates?

Log Exporter filter for VPN logins