Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Employee+
Employee+

Log Exporter guide

Hello All,

We have recently released the Log Exporter solution.
A few posts have already gone up and the full documentation can be found at sk122323.

However, I've received a few questions both on and offline and decided to create a sort of log exporter guide.

But before I begin I’d like to point out that I’m not a Checkpoint spokesperson, nor is this an official checkpoint thread.

I was part of the Log Exporter team and am creating this post as a public service.

I’ll try to only focus on the current release, and please remember anything I might say regarding future releases is not binding or guaranteed.
Partly because I’m not the one who makes those decisions, and partly because priorities will shift based on customer feedback, resource limitations and a dozen other factors. The current plans and the current roadmap is likely to drastically change over time.

And just for the fun of it, I’ll mostly use the question-answer format in this post (simply because I like it and it’s convenient).

 

Log Exporter – what is it?

Performance

Filters

Filters: Example 1

Filters: Example 2

Gosh darn it, I forgot something! (I'll edit and fill this in later)

Feature request

Labels (3)
127 Replies
Highlighted
Employee+
Employee+

Thanks - That seems to have done the trick.

I hate going into the HTML source code. I  get flashbacks from trying to manually fix SKs. 

The horror!

Smiley Happy

Highlighted

Hi Yonatan,

Thank you for the detailed write-up, I found it very helpful!

Is there a way to rate limit the amount logs that are exported? We ran into an issue where our log exporter process was overloading our syslog server with requests.

Thanks!
Matt

0 Kudos
Highlighted
Employee+
Employee+

Hi Matthew,

At this time there is no way to limit the number of logs sent.

This will probably be possible in the future once we implement advanced filter capabilities.

Improving the filters is an item on our roadmap but I don't know when this will be implemented.

0 Kudos
Highlighted

Hi!

Nice writeup and nice tool!

I have small question

I need export only SmartEvent events width EN***** id in message body

Can i do it with LogExporter? Can u help me with configuration?

0 Kudos
Highlighted
Employee+
Employee+

Hi Alexandr, 

This can be done to a limited degree, probably not good enough for your use case. 

This will most likely be possible once we implement advanced filtering options - unfortunately, I don't know exactly when that will actually happen (it's on the roadmap but we are currently working on another feature ahead of filters).

0 Kudos
Highlighted

Maybe i can use log exporter tool in custom script for sending messages?

0 Kudos
Highlighted
Employee+
Employee+

Hi,

I'm not sure I understand the question. I suspect the answer is no. The Log Exporter uses the indexing infrastructure (that Checkpoint log servers use). It reads *.fw log files, but instead of 'indexing' them it sends the logs to the interface send queue.

I don't see how you can insert scripts into this chain, nor can this run on a server without the indexing infrastructure (e.g. log servers)

Highlighted

Jonathan,

Something that is not completely clear to me, when we want to use TLS and we have a official cert at the other end, do I still need to created local files to allow this to be used? Or can I just tell log exporter to use TLS?

Regards, Maarten
0 Kudos
Highlighted
Employee+
Employee+

The Log Exporter uses mutual authentication - both sides need to authenticate each other.

When we were looking at the TLS implementation of other vendors we noticed that some of them use single sided authentication, but after considering the issue we decided to err on the side of more security and implemented mutual authentication.

Hope that answers your question. it's always a bit difficult for me to address TLS related questions as that's not my area of expertise, and while I was involved in the TLS discussions during the implementations, I was mostly on the sidelines of those discussions and left it to the relevant experts to do the heavy lifting.

HTH 

 Yonatan 

0 Kudos
Highlighted
Copper

Log_export can export all software blade log to external syslog server ?

0 Kudos
Highlighted
Employee+
Employee+

Yes.

The Log Exporter can export everything in the fw.log file regardless of the content.

It basically treats everything in the log payload as an alphanumeric string.

All the adaptations, mappings, filters, etc. are all based on string/text manipulation regardless of the content ("blade").

HTH 

 Yonatan 

0 Kudos
Highlighted

Hi Yonatan, I just configured log exporter so send logs via syslog to SIEM server, however when log sent I don't see protocol field in the log, when sent vi LEA  saw for example - protocol=UDP etc. but now I get only proto=6, proto=17 etc. How do I convert it to protocol name? Is there any proto(number) to protocol(actual protocol name) mapping exist?

0 Kudos
Highlighted
Admin
Admin

0 Kudos
Highlighted

Also the /etc/protocols file on Gaia/Linux.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted

Thanks!

0 Kudos
Highlighted
Employee+
Employee+

For those who missed it, Dan has officially announced the new Log Exporter update with better Splunk integration.

*New* Splunk App for Check Point Logs 

Admin
Admin

Will it work on Standalone machine?

0 Kudos
Highlighted

I have it running on a standalone logserver.

Regards, Maarten
0 Kudos
Highlighted
Iron

Is it possible to run the LogExporter only on a Log Correlation Unit?

0 Kudos
Highlighted
Employee+
Employee+

You can run the Log Exporter on any server where you can enable the Logging blade (Management, Log server, SmartEvent, etc.).

The Log Exporter uses the Indexing infrastructure so that infrastructure has to be installed on the server. (it doesn't have to actually be active, just needs to be installed. So even if you aren't actively using the server as an Indexer, as long as you have the option to enable the blade that's good enough).

HTH

 Yonatan 

0 Kudos
Highlighted
Employee+
Employee+

Hi, I'd need to add a string at the beginning of the exported logs, is it possible?

Not working on RSA NetWitness / Security Analytics:

"CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|domain-udp|Unknown|act=Accept destinationTranslatedAddress=0.0.0.0 destinationTranslatedPort=0 deviceDirection=0 .....

Working fine on RSA NetWitness / Security Analytics:

"<1> CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|domain-udp|Unknown|act=Accept destinationTranslatedAddress=0.0.0.0 destinationTranslatedPort=0 deviceDirection=0 .....

the addition of the string "<1>" at the beginning of the exported log is needed in order to have the exported log correctly ingested and parsed in the RSA SIEM.

Many thanks

kind regards

Luca

0 Kudos
Highlighted
Employee+
Employee+

Solution provided as follows from the great Kobi 😉

Yes we have this option:

Go to CEFFormatDefinition.xml in $EXPORTERDIR/targets/<target name>/conf

 

Change the line:

<header_format>{}|{}|{}|{}|{}|{}|{}|</header_format>

To be:

<header_format>{} {}|{}|{}|{}|{}|{}|{}|</header_format>

 

In addition, under the line:

<headers>

Add this:

<header>  <default_value>&lt;1&gt;</default_value>  <assign_order>init</assign_order>     </header>

 

Save the file and restart the exporter.

0 Kudos
Highlighted

Hi all, 

Default behaviour appears to be that suppressed logs are not exported to 3rd party SIEM by LogExporter. Is there a way to modify this so that supressed logs ARE exported? 

FYI, the test bed we're working on is RSYSLOG.

Cheers,

Will

Highlighted

Hi,

 

Any help regarding this question? 

I am exporting logs to Splunk with semi-unified mode on, but we are getting all the logs not only the supressed ones.

For example for one loguid we are getting 4 different logs. As in the question mentioned here: https://community.checkpoint.com/t5/Logging-and-Reporting/Log-exporter-not-summary-logging-to-one-ev...

Would be very helpful if it is possible just to export the last summarized event...

Thanks

0 Kudos
Highlighted
Employee
Employee

Can we filter logs that are being sent out through log exporter, by rules ID or name? For example, I would like to have only outbound traffic to internet to be sent out through log exporter. I understand we can modify the targetConfiguration.xml file, and the only fields that can be filtered are as the following:

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['product']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['__policy_id_tag']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['inzone']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['outzone']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['service_id']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['src']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['s_port']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['dst']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['service']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['proto']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['xlatesrc']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['xlatedst']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['xlatesport']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['xlatedport']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['nat_rulenum']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['nat_addtnl_rulenum']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['match_table']

Let me know if there is any other way. thanks.

Highlighted

Hello,

So nice to see your investment into this topic, Yonathan.

We're having some trouble configuring Log Exporter to work with qRadar.

we have updated our Management server to r80.10 JHF 154 just to install new log exporter following PS recommendation. 

We have followed the SK, but the TLS instructions aren't so clear - what certificate\keys goes where, some weird symbols and notes scattered etc.

I think the Qradar screenshot could use some values in it.

has anyone managed to configure this with qRadar and mutual TLS?

0 Kudos
Highlighted

Hi,

I'm trying to filter using the predefined TP "product" with the filter-blade-in option per the example given in sk122323.  Currently all logs are being exported.  I get the following output:

cp_log_export set name <name obfuscated> filter-blade-in "TP"
Error: Argument [filter-blade-in] is undefined for command: [set]

This is on an R80.20 GA w/JHFA 33 open management server with logging.

One other point of clarification - the description for TP in the sk does not include IPS.  I only see that in the EndPoint description.  Was this an omission in the description or is it really not included in the TP filter?

Thanks for the help!

0 Kudos
Highlighted
Employee+
Employee+

Hi Richard,

Sadly, the new log-exporter filtering feature isn't yet supported on R80.20 / R80.30.

from the official log-exporter sk122323 (Installation section):

"Note: Filtering ability is not integrated to R80.20 and R80.30 yet, this SK will be updated when it will be supported."

Coming soon...

 

*In-general, TP filter includes all Threat blades (including IPS blade).

0 Kudos
Highlighted
Employee
Employee

I have a case about integration with Aruba ClearPass , Aruba hope checkpoint SMS send syslog to ClearPass ,and give me a conf file like this。 which XML file should I edit? and which  Field?

CheckPoint_IngressEvent.xml:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsHeader exportTime="Mon May 27 16:36:00 CST 2019" version="6.7"/>
<IngressEvents>
<IngressEvent>
<Vendor>Check Point</Vendor>
<Description>Check Point log message</Description>
<FormatName>CheckPoint-Log</FormatName>
<Format>TIME LOG_TYPE ORIGIN SERVICE PID ACTION SRC_INTERFACE MESSAGE</Format>
<Prefix>CheckPoint-Log</Prefix>
<Enabled>false</Enabled>
<Sample>Mon Jul 20 15:56:36 Log host CPLogToSyslog: 49154 redirect &lt;eth1 web_client_type: Firefox; resource: http://sc1.checkpoint.com/za/images/threatwiki/pages/testantibotblade.html; src: 10.70.11.11; dst: 194.29.36.43; proto: 6; session_id: {0x55acf003,0x1,0xb4617ac,0xc0000002}; Protection name: Check Point - Testing Bot; malware_family: Check Point; Confidence Level: 5; severity: 2; malware_action: Communication with CandC; rule_uid: {6AA76C68-D45C-4E78-BAD1-34C42548BF41}; Protection Type: URL reputation; malware_rule_id: {645B69FE-85AC-F748-AA79-5652BF58BF6A}; protection_id: 00233CFEE; log_id: 2; proxy_src_ip: 10.70.11.11; scope: 10.70.11.11; aba_customer: Default; date: 20Jul2015; hour: 15:56:35; type: log; Interface: &gt; eth1; product: Anti Malware; service: 8080; s_port: 39490;</Sample>
<Filter>filter {
grok {
match =&gt; { 'message' =&gt; '%{SYSLOGTIMESTAMP:time}%{SPACE}%{WORD:log_type}%{SPACE}%{WORD:origin}%{SPACE}%{WORD:service}:%{SPACE}%{WORD:pid}%{SPACE}%{WORD:action}%{SPACE}%{DATA:src_interface} %{GREEDYDATA:syslog_message}'}
add_tag =&gt; [ "CP" ]
}
if("CP" in [tags]){
mutate {
replace =&gt; [ '@message', '%{syslog_message}' ]
}
kv {
source =&gt; '@message'
prefix =&gt; 'Event:CheckPoint-Log:'
field_split =&gt; ';'
value_split =&gt; ':'
trim =&gt; ' '
trimkey =&gt; ' '
}
mutate {
remove_field =&gt; ['@version','path','syslog_message','@message','message']
add_field =&gt; [ 'Event:Event-Name', '%{service}' ]
add_field =&gt; [ 'Event:Timestamp', '%{time}' ]
add_field =&gt; [ 'Event:Pattern-Name', 'CheckPoint-Log' ]

}
ruby {
code =&gt; "
data = event.clone.to_hash;
data.each do |k,v|
if (k != '@timestamp' and !k.start_with?('Event:') and !k.start_with?('@'))
newFieldName = 'Event:CheckPoint-Log:'+ k
event[newFieldName] = v
event.remove(k)
end
end
tstamp = Time.now.to_i
tstamp_str = Time.at(tstamp).strftime('%Y-%m-%d %H:%M:%S')
event['Event:Timestamp'] = tstamp_str
"
}
}
}</Filter>
<FieldMapping>
<Field AllowedValues="" DataType="Time" Name="time"/>
<Field AllowedValues="" DataType="String" Name="log_type"/>
<Field AllowedValues="" DataType="String" Name="origin"/>
<Field AllowedValues="" DataType="String" Name="pid"/>
<Field AllowedValues="" DataType="String" Name="action"/>
<Field AllowedValues="" DataType="String" Name="service"/>
<Field AllowedValues="" DataType="String" Name="src_interface"/>
<Field AllowedValues="" DataType="String" Name="web_client_type"/>
<Field AllowedValues="" DataType="String" Name="resource"/>
<Field AllowedValues="" DataType="String" Name="src"/>
<Field AllowedValues="" DataType="String" Name="dst"/>
<Field AllowedValues="" DataType="String" Name="proto"/>
<Field AllowedValues="" DataType="String" Name="session_id"/>
<Field AllowedValues="" DataType="String" Name="Protectionname"/>
<Field AllowedValues="" DataType="String" Name="malware_family"/>
<Field AllowedValues="" DataType="String" Name="ConfidenceLevel"/>
<Field AllowedValues="" DataType="String" Name="severity"/>
<Field AllowedValues="" DataType="String" Name="malware_action"/>
<Field AllowedValues="" DataType="String" Name="rule_uid"/>
<Field AllowedValues="" DataType="String" Name="ProtectionType"/>
<Field AllowedValues="" DataType="String" Name="malware_rule_id"/>
<Field AllowedValues="" DataType="String" Name="protection_id"/>
<Field AllowedValues="" DataType="String" Name="log_id"/>
<Field AllowedValues="" DataType="String" Name="proxy_src_ip"/>
<Field AllowedValues="" DataType="String" Name="scope"/>
<Field AllowedValues="" DataType="String" Name="aba_customer"/>
<Field AllowedValues="" DataType="String" Name="date"/>
<Field AllowedValues="" DataType="String" Name="hour"/>
<Field AllowedValues="" DataType="String" Name="Interface"/>
<Field AllowedValues="" DataType="String" Name="product"/>
<Field AllowedValues="" DataType="String" Name="s_port"/>
</FieldMapping>
<GenericFieldMapping>
<Field GenericName="Event-Name" Name="service"/>
<Field GenericName="Timestamp" Name="time"/>
</GenericFieldMapping>
</IngressEvent>
</IngressEvents>
</TipsContents>
0 Kudos
Highlighted
Copper

hi,

interesting feature.

2 questions regarding this one:

 

1.  is it possible to export the main CMA ? (content of /opt/CPmds-R80.30/log)

      I tried the command but a warning appears: Failed to change env to customer: <IP.IP.IP.IP> 

2. Is it possible to export a single domain to multiple destinations? target-server 1 & target-server 2

 

Thanks

Best Regards

 

 

 

0 Kudos