cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
DH_ND
Iron

CP log Export issues

HI Checkmates

 

Can someone help. I have two manager with the same subnet and environment within Azure. 1st managing Azure gateways on R80.30 and 2nd managing on prem gateways on R77.30. We use cp_log_export on both to send logs to a collector.

2nd has been recently added using the same configuration as the first (this config was the same when the manager was on premise on R77.30.

 cp_log_export add name ****** target-server x.x.x.x target-port 514 protocol tcp format leef

All looks good except the collector isn't seeing the logs being sent it only sees the two way communication from manager to collector.

difference between the two is the 2nd has the following lines below. The worker has both these values set to true

export-link: false
export-attachment-link: false

1st is working

name: ******
enabled: true
target-server: x.x.x.x
target-port: 514
protocol: tcp
format: leef
read-mode: raw
export-link: Found
export-attachment-link: Found

2nd is NOT working

name: ******
enabled: true
target-server: x.x.x.x
target-port: 514
protocol: tcp
format: leef
read-mode: raw
export-link: false
export-attachment-link: false

 

Does anyone have any idea what could be causing this. We have full comms from both to the collector.

 

Thanks

 

 

 

0 Kudos
7 Replies
Employee+
Employee+

Re: CP log Export issues

 2 Questions:

1. Are you trying to export logs from both to same target-SIEM using same TCP/514 port?

2. Even though 2nd is working, why are links flags with 'Found' value (why not true?)

0 Kudos
DH_ND
Iron

Re: CP log Export issues

Hi Dror,


Yes we are sending to the same traget SIEM using TCP/514. This was also the case when the on prem manager (which is now the one that isn't working) was in use.
Im not sure why the flags are set to found, should they be true?

Cheers
0 Kudos
Employee+
Employee+

Re: CP log Export issues

I believe so, but if it's working, then it's okay.

You cannot use same TCP/port to same SIEM simultaneously.

Port should be unique for each, simply change one of them to another port & let us know.

0 Kudos
DH_ND
Iron

Re: CP log Export issues

Hi Dror,

Previously we have two Azure managers and one on prem manager using the same config and has been working without issue. Its only now we have moved the on prem manager to Azure that we are seeing an issue. I'll contact the third party and see if I can test you solution. I'll let you know the outcome.

Cheers
0 Kudos
DH_ND
Iron

Re: CP log Export issues

HI Dror,
We found a routing issue with Azure yesterday which has now been resolved. Since that issue has been resolved the export is working fine and the third party can see exactly whats expected however. I sitll see false for the links.
name: ********
enabled: true
target-server: x.x.x.x
target-port: 514
protocol: tcp
format: leef
read-mode: raw
export-link: false
export-attachment-link: false
Any ideas?

Cheers
0 Kudos
Employee+
Employee+

Re: CP log Export issues

export-link should be false unless you change it.

It's used to add a field to the exported log that represents a link to SmartView that shows the log card.

If you want to know more about this feature you can check the log exporter sk under the section of "Advanced Configuration Post Deployment" and the sub-section "SmartView links parameters".

sk link:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
DH_ND
Iron

Re: CP log Export issues

Thanks Amirse.
0 Kudos