Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Log Exporter - Log Field description

Jump to solution

Hello All,

This is Tim.

 

I'm using Checkpoint 4600 and Log Exporter to get Syslog from device into my log server.

Actually, It is pretty good well. 

 

but I don't know that when i explore the syslog which comes from checkpoint, I couldn't understand what each fields mean. 

https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-CEF-Field-Mappings/td-p/41060

Above link, there are lots of filed of syslog. but they don't tell us what each fields mean.

 

So, Where can I get information of syslog field?

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Employee+
Employee+

A recently added knowledge base article (sk144192) lists the fields, potential values, and it provides a proper description for each field. This link might provide the information that you seek.

 

View solution in original post

7 Replies
Highlighted
Employee+
Employee+

A recently added knowledge base article (sk144192) lists the fields, potential values, and it provides a proper description for each field. This link might provide the information that you seek.

 

View solution in original post

Highlighted

Some types seem to be wrong in sk144192. For example:

When receiving logs from log exporter, the "action" field is actually a "string", not an "int". The values are "Accept","Drop", etc.

0 Kudos
Highlighted
The values Accept, etc. are dictionary values resolved from a numeric int.
hth,
bob
0 Kudos
Highlighted

Ok, but the fields "severity" and "confidence_level" are sent as integer, not resolved from dictionary. Why is "action" resolved?

It doesn't matter the original type of the field, if the purpose of the table is to help us in use with SIEM, I believe it should report the type that we will receive. Don't you agree?

 

 

0 Kudos
Highlighted
Agree. Int is the underlying data structure, not necessarily how you will see it in the log exporter output. Will comment on the sk to this affect to get it to right person. Just fyi, this is also an option for others that for me has worked pretty well.
0 Kudos
Highlighted

Bob,

I always comment on SKs that I don't agree with. Sometimes I get answers, most times I don't.

Thank you for also sending your comments!

0 Kudos
Highlighted
Employee+
Employee+

Thanks for the feedback!

I will look into it and will update.

0 Kudos