Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DH_ND
Participant

CP log Export issues

HI Checkmates

 

Can someone help. I have two manager with the same subnet and environment within Azure. 1st managing Azure gateways on R80.30 and 2nd managing on prem gateways on R77.30. We use cp_log_export on both to send logs to a collector.

2nd has been recently added using the same configuration as the first (this config was the same when the manager was on premise on R77.30.

 cp_log_export add name ****** target-server x.x.x.x target-port 514 protocol tcp format leef

All looks good except the collector isn't seeing the logs being sent it only sees the two way communication from manager to collector.

difference between the two is the 2nd has the following lines below. The worker has both these values set to true

export-link: false
export-attachment-link: false

1st is working

name: ******
enabled: true
target-server: x.x.x.x
target-port: 514
protocol: tcp
format: leef
read-mode: raw
export-link: Found
export-attachment-link: Found

2nd is NOT working

name: ******
enabled: true
target-server: x.x.x.x
target-port: 514
protocol: tcp
format: leef
read-mode: raw
export-link: false
export-attachment-link: false

 

Does anyone have any idea what could be causing this. We have full comms from both to the collector.

 

Thanks

 

 

 

0 Kudos
7 Replies
Dror_Aharony
Employee Alumnus
Employee Alumnus

 2 Questions:

1. Are you trying to export logs from both to same target-SIEM using same TCP/514 port?

2. Even though 2nd is working, why are links flags with 'Found' value (why not true?)

0 Kudos
DH_ND
Participant

Hi Dror,


Yes we are sending to the same traget SIEM using TCP/514. This was also the case when the on prem manager (which is now the one that isn't working) was in use.
Im not sure why the flags are set to found, should they be true?

Cheers
0 Kudos
Dror_Aharony
Employee Alumnus
Employee Alumnus

I believe so, but if it's working, then it's okay.

You cannot use same TCP/port to same SIEM simultaneously.

Port should be unique for each, simply change one of them to another port & let us know.

0 Kudos
DH_ND
Participant

Hi Dror,

Previously we have two Azure managers and one on prem manager using the same config and has been working without issue. Its only now we have moved the on prem manager to Azure that we are seeing an issue. I'll contact the third party and see if I can test you solution. I'll let you know the outcome.

Cheers
0 Kudos
DH_ND
Participant

HI Dror,
We found a routing issue with Azure yesterday which has now been resolved. Since that issue has been resolved the export is working fine and the third party can see exactly whats expected however. I sitll see false for the links.
name: ********
enabled: true
target-server: x.x.x.x
target-port: 514
protocol: tcp
format: leef
read-mode: raw
export-link: false
export-attachment-link: false
Any ideas?

Cheers
0 Kudos
Amir_Senn
Employee
Employee

export-link should be false unless you change it.

It's used to add a field to the exported log that represents a link to SmartView that shows the log card.

If you want to know more about this feature you can check the log exporter sk under the section of "Advanced Configuration Post Deployment" and the sub-section "SmartView links parameters".

sk link:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Kind regards, Amir Senn
0 Kudos
DH_ND
Participant

Thanks Amirse.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events