Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Iron

Log Exporter filter

Hi, I'm experiencing issues with filtering the logs to export to my external Syslog server from the R80.40.

It seems like any filtering command/option that I enter then all export stops. I am trying to not export traffic events(allowed or denied traffic).

Can someone please share sample config or syntax that I can use?

 

0 Kudos
7 Replies
Highlighted
Admin
Admin

I think there is a few examples (or a link to an SK with them) here: https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-Filtering/m-p/10359
Highlighted
Employee+
Employee+

Can you please share the commend/filter configuration you used?

Thanks!

Highlighted
Employee+
Employee+

Hi,

 

From your question I can only guess that:

1. Maybe your filtering file is incorrect.

2. Maybe you use a wrong field names to filter on and therefore not traffic is seen on your syslog server.

 

Can you please share your filterConfiguration.xml and targetConfiguration.xml files?

 

Shay

Highlighted
Iron

Hi All,

 

here is my targetConfiguration.xmll file

The logs are indeed coming through however, i am also receiving connection logs. i.e accepted traffic connections.

 

<?xml version="1.0" encoding="utf-8"?>
<export id="targetObjectUID"><!--object uuid!-->
<version>5</version> <!-- Version of this file-->
<is_enabled>true</is_enabled><!--Is the process allowed to run, and start on cpstart-->
<!-- Destination section defines the properties of the export target -->
<destination type="syslog"> <!-- Target output type -->
<ip>x.x.x.x</ip><!--the ip of the syslog server-->
<port>1514</port><!--the port on which the syslog is listening to-->
<protocol>udp</protocol><!--udp/tcp-->
<!--the configuration of tls-->
<transport>
<security></security><!--clear/tls-->
<!-- the following section is relevant only if <security> is tls -->
<pem_ca_file></pem_ca_file>
<p12_certificate_file></p12_certificate_file>
<client_certificate_challenge_phrase></client_certificate_challenge_phrase>
</transport>
</destination>
<!-- Filter Configuration -->
<dynamicFilter>conf/FilterConfiguration.xml</dynamicFilter>
<!-- Source section defines the properties of the input stream that will be exported -->
<source>
<log_files>1</log_files><!-- on-line[default] | read logs from [number] days back (recommended) | specific file name -->
<log_types></log_types><!--all[default]|log|audit/-->
<folder></folder><!--$FWDIR/log[default]|specific path-->
<read_mode>raw</read_mode><!--raw[default]|semi-unified/-->
</source>
<export_log_link>true</export_log_link> <!-- True | False /-->
<export_attachment_link>false</export_attachment_link> <!-- True | False /-->
<export_link_ip></export_link_ip> <!-- empty [defaut] | external IP /-->
<!-- Format section determines the form (headers and mappings) of the exported logs -->
<format type="cef"> <!--syslog | cef | leef | generic | splunk | this parameter may differ from the type of destination, for example, destination type = files/format type = CEF -->
<resolver>
<mappingConfiguration></mappingConfiguration><!--if empty the fields are sent as is without renaming-->
<exportAllFields>true</exportAllFields> <!--in case exportAllFields=true - exported element in fieldsMapping.xml is ignored and fields not from fieldsMapping.xml are exported as notMappedField field-->
</resolver>
<!-- Format header configuration (actual to CEF see ./conf directory) -->
<formatHeaderFile></formatHeaderFile>
</format>

<!-- The following section is for future use of log filtering, please do not modify these values -
->
<filter filter_out_by_connection="true">
<field name="product">
<value>VPN-1 &amp; FireWall-1</value>
<value>HTTPS Inspection</value>
<value>VPN-1</value>
<value>Security Gateway/Management</value>
<value>Firewall</value>
<value>FG</value>
</field>
<field name="fw_subproduct">
<value>VPN-1 &amp; FireWall-1</value>
<value>HTTPS Inspection</value>
<value>VPN-1</value>
<value>Security Gateway/Management</value>
<value>Firewall</value>
<value>FG</value>
</field>
</filter>


</export>

Highlighted
Employee+
Employee+

Hi,

Your target configuration looks OK.
Can you please share your FilterConfiguration.xml file?
I also want to make sure you have configured it correctly.

Thanks,
Shay
0 Kudos
Highlighted
Iron

here is my FilterConfiguration.xml

 

<filters>
<filterGroup operator="and">
<field name="action" operator="and">
</field>
<field name="origin" operator="and">
</field>
<field name="product" operator="and">
</field>
</filterGroup>
</filters>
~

0 Kudos
Highlighted
Employee+
Employee+

Based on those 2 files it looks that you did not filter anything out and you should see all your logs in syslog server.

1. is that the case? if so, what do you want to filter?
2. If not, lets take it offline you and I (shayhi@checkpoint.com).

Shay