cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

CEF field values of Log exporter

Im using Log exporter to forward CEF formated logs to third party SIEM tool where i want to know the default CEF field values for mapping to SIEM.

5 Replies
Admin
Admin

Re: CEF field values of Log exporter

Not sure there are any default values as that will depend on the logs being sent.

Can you elaborate on your question a bit?

What SIEM are you trying to integrate with?

0 Kudos

Re: CEF field values of Log exporter

If you don't mind reading XML, check out $EXPORTERDIR/conf/CefFieldsMapping.xml. Attaching for your convenience and examples below. This is from R80.20 GA take 101.

......
<field>
<origName>action</origName>
<dstName>act</dstName>
</field>
......
<field>
<origName>severity</origName>
<dstName>cp_severity</dstName>
<callback>
<name>replace_value</name>
<args>
<arg key="default" value="Unknown"/>
<arg key="0" value="Low"/>
<arg key="1" value="Low"/>
<arg key="2" value="Medium"/>
<arg key="3" value="High"/>
<arg key="4" value="Very-High"/>
</args>
</callback>
</field>
Highlighted

Re: CEF field values of Log exporter

Also see this discussion Log Exporter CEF Field Mappings

Re: CEF field values of Log exporter

Thanks Bob, It helped. Do we have similar field mapping for Syslog format?

Re: CEF field values of Log exporter

Sorry for the delay in answering. The syslog format essentially doesn't map to another format so, aside from the header, you'll get the Check Point field names unmapped.  

# pwd
/opt/CPrt-R80.20/log_exporter/targets/MySyslog

# grep mapping *
.....
targetConfiguration.xml: <!-- Format section determines the form (headers and mappings) of the exported logs -->
targetConfiguration.xml: <mappingConfiguration></mappingConfiguration><!--if empty the fields are sent as is without renaming-->

On a related note there is a project to better define the Check Point field names and to normalize them across products. Bit hidden right now, but you can see in R80.20 the 100+ Threat Prevention field definitions for ALL of SandBlast products (mobile, endpoint, gateway) at the bottom of sk134634: SmartView Cyber Attack View in the Field Documentation section. In the future am sure we'll do a better job of documenting these so they're not buried in an SK like this. For now check out Threat Prevention Log Field Documentation

0 Kudos