cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Employee+
Employee+

Re: Log Exporter Filtering

in the next public R80.30-JumboHF (hopefully a few weeks).

0 Kudos
Highlighted

Re: Log Exporter Filtering

Ok thanks.
Another question I got was is log exporter following the rfc5424 format?
Regards, Maarten
0 Kudos
Highlighted

Re: Log Exporter Filtering

@Maarten_Sjouw a quick google search shows RFC5424 is simply syslog protocol (I didn't know this off top of head).

https://tools.ietf.org/html/rfc5424

answer:  yes.   check the "formats" section below.

reference:

Log Exporter - Check Point Log Export
 
 
Background:
Log Exporter is a multi-threaded daemon service, running on a log server. Each log that is written on the log server is read by the log exporter daemon, transformed into the desired format and mapping, and then sent to the end target.
 
Log Exporter supports:
  • SIEM applications: Splunk\Arcsight\RSA\LogRhythm\QRadar\McAfee\rsyslog\ng-syslog and any other SIEM application that can run a syslog agent.
  • Protocols: syslog over TCP or UDP.
  • Formats: Syslog, CEF, LEEF, Generic.
  • Security: Mutual authentication TLS.The ability to export logs/audit or both.
  • Filter out (don't export) firewall connections logs.
0 Kudos
Highlighted
Nickel

Re: Log Exporter Filtering

I've now tried this, and also contacted TAC.  LogExporter cannot be used on a dedicated SmartEvent appliance. Logexporter currently does not support indexed logs, however TAC told me that this is in the pipeline.

0 Kudos
Highlighted

Re: Log Exporter Filtering

interesting to hear this (and thanks for posting update). 

It's my understanding the Log Exporter is a service that works directly on Log Server (whever that may reside).

I do understand the requirement for SmartEvent users to push alerts into 3rd party system (SIEM, SOC, etc) and it does make sense that CP would leverage something like Log Exporter for this (and replace the current duct tape and bailing wire methods). 

0 Kudos
Highlighted
Nickel

Re: Log Exporter Filtering

I'm still working with TAC on this, but in my case the objective is to send log data for specific gateways and for TP only which maybe managed by different domain servers to a central SIEM collector for the organisation.

My logic was, rather then burdening the Provider with multiple streams to the collector, send logs from the SmartEvent appliance for the specific gateways (single stream) and logs are already consolidated for TP events. In this way only filtering to do now and in the future would be to maintain the list of GWs in the filter.

Clearly not happening...well not yet.

0 Kudos
Highlighted
Copper

Re: Log Exporter Filtering

Dear team
There is a Error as blow when i configure only send "TP" log to syslog server,this is why?
# cp_log_export set name TP_Test filter-blade-in "TP"
Error: Argument [filter-blade-in] is undefined for command: [set]
0 Kudos
Highlighted
Employee+
Employee+

Re: Log Exporter Filtering

which version is this? Did you try other filters?

I'd guess it's not supported on your version. 

see log-exporter sk122323 for supported versions:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

 

0 Kudos
Highlighted

Re: Log Exporter Filtering

R80.30 log server (with smartevent ) +

       HOTFIX_R80_30_JHF_T111_LOGRHYTHM_MAIN  Take: 4

 

I'm having problems filtering log_export while the pipe between CP and Splunk is working.
I find it very easy to throw away a feature without customers being able to easily apply it, especially when the feature has been expected for months.
The documentation is confusing and we always have to spend a monster amount of time with expert support to get through it.
at this point basic questions remain:
- following the advanced configuration given as an example, the FilterConfiguration.xml file is fed by the commands but still no filters on the exported logs and I receive the access type logs from the firewall.

 

0 Kudos
Highlighted
Employee+
Employee+

Re: Log Exporter Filtering

Hi @pmiprojet_pmipr 

I am sorry to hear that it took long time to configure Log Exporter and filtering feature.

I would like to help you and guide you so you will be able to use this feature ASAP.

Could you please send me email and we will take it from there? my email address is shayhi@checkpoint.com

 

Regards,

Shay

0 Kudos