Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dan_Zada
Employee Alumnus
Employee Alumnus

Log Exporter Filtering

Hello all,

I'm happy to inform you that we added a new feature to the log exporter - the ability to filter logs.

Starting today, you will be able to configure which logs will exported, based on fields and values, including complex statements.

More information, including basic and advanced filtering instructions, can be found in SK122323.

If you have any question or comment, let me know.

Thanks!

Dan.

72 Replies
Shay_Hibah
Employee Alumnus
Employee Alumnus

@Antonis_Hassiot 

What format are you using as part of Log Exporter configuration?

0 Kudos
Antonis_Hassiot
Contributor

target-port: 12010
protocol: tcp
format: splunk
read-mode: semi-unified
export-link: false
export-attachment-link: false
export-attachment-ids: Found

0 Kudos
Shay_Hibah
Employee Alumnus
Employee Alumnus

Please send my your FilterConfiguration.xml file to my email and we will take it offline from there.

Shayhi@checkpoint.com

0 Kudos
MariuszT
Explorer

Hi,

I know this is an old topic, but does anything changed in that matter? Can you write filter based on subnets?

Greetings,

Mariusz

0 Kudos
Amir_Senn
Employee
Employee

According to the SK it looks to be supported:

 

Capture.PNG

Kind regards, Amir Senn
0 Kudos
PhoneBoy
Admin
Admin

The issue, I believe, is that you would have to list each IP address in the subnet.
Or it is possible to reference an entire subnet or range of addresses, but the syntax for doing so is not documented.

0 Kudos
MariuszT
Explorer

Unfortunnatly you're right. I've opened SR Question with TAC and received answer:

"It can not cover a range and it needs to be a value from log, not without putting a new line for every ip in that range we can do this"

The case is I'd like to filter out several /16 networks. If I put just one net like that it makse 65k records and CPU cores on log server associated with log exporter are 100%, and very little logs are exported.

 

0 Kudos
PhoneBoy
Admin
Admin

I would work with your local Check Point office on an RFE for this.

0 Kudos
Ned_Stark
Contributor

Hello friends,

I have a 1450 appliance  Version R77.20.85 (990172755)   

How can I get the configuracion log exporter  for this appliance?  I see that sk 122323  is for R77.30 and above.

 

 

Thanks 

0 Kudos
PhoneBoy
Admin
Admin

Log Exporter is not supported on SMB appliances.
The 1500 series running R80.20 code can natively export security logs via Syslog.
Dorit_Dor
Employee
Employee

to be clear:

Log exporter is running on the log server/management and it is agnostic to which GW generated the data.

Ned_Stark
Contributor

Ok,  thanks a lot.  

Nice day.  

 

0 Kudos
Ned_Stark
Contributor

Thanks a lot.   

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events