cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Re: Log Exporter guide

Maybe i can use log exporter tool in custom script for sending messages?

0 Kudos
Employee+
Employee+

Re: Log Exporter guide

Hi,

I'm not sure I understand the question. I suspect the answer is no. The Log Exporter uses the indexing infrastructure (that Checkpoint log servers use). It reads *.fw log files, but instead of 'indexing' them it sends the logs to the interface send queue.

I don't see how you can insert scripts into this chain, nor can this run on a server without the indexing infrastructure (e.g. log servers)

Re: Log Exporter guide

Jonathan,

Something that is not completely clear to me, when we want to use TLS and we have a official cert at the other end, do I still need to created local files to allow this to be used? Or can I just tell log exporter to use TLS?

Regards, Maarten
0 Kudos
Employee+
Employee+

Re: Log Exporter guide

The Log Exporter uses mutual authentication - both sides need to authenticate each other.

When we were looking at the TLS implementation of other vendors we noticed that some of them use single sided authentication, but after considering the issue we decided to err on the side of more security and implemented mutual authentication.

Hope that answers your question. it's always a bit difficult for me to address TLS related questions as that's not my area of expertise, and while I was involved in the TLS discussions during the implementations, I was mostly on the sidelines of those discussions and left it to the relevant experts to do the heavy lifting.

HTH 

 Yonatan 

0 Kudos
Jeff_Gao
Nickel

Re: Log Exporter guide

Log_export can export all software blade log to external syslog server ?

0 Kudos
Employee+
Employee+

Re: Log Exporter guide

Yes.

The Log Exporter can export everything in the fw.log file regardless of the content.

It basically treats everything in the log payload as an alphanumeric string.

All the adaptations, mappings, filters, etc. are all based on string/text manipulation regardless of the content ("blade").

HTH 

 Yonatan 

0 Kudos

Re: Log Exporter guide

Hi Yonatan, I just configured log exporter so send logs via syslog to SIEM server, however when log sent I don't see protocol field in the log, when sent vi LEA  saw for example - protocol=UDP etc. but now I get only proto=6, proto=17 etc. How do I convert it to protocol name? Is there any proto(number) to protocol(actual protocol name) mapping exist?

0 Kudos

Re: Log Exporter guide

0 Kudos

Re: Log Exporter guide

Also the /etc/protocols file on Gaia/Linux.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: Log Exporter guide

Thanks!

0 Kudos
Employee+
Employee+

Re: Log Exporter guide

For those who missed it, Dan has officially announced the new Log Exporter update with better Splunk integration.

*New* Splunk App for Check Point Logs 

Re: Log Exporter guide

Will it work on Standalone machine?

0 Kudos

Re: Log Exporter guide

I have it running on a standalone logserver.

Regards, Maarten
0 Kudos
Chris_W
Iron

Re: Log Exporter guide

Is it possible to run the LogExporter only on a Log Correlation Unit?

0 Kudos
Employee+
Employee+

Re: Log Exporter guide

You can run the Log Exporter on any server where you can enable the Logging blade (Management, Log server, SmartEvent, etc.).

The Log Exporter uses the Indexing infrastructure so that infrastructure has to be installed on the server. (it doesn't have to actually be active, just needs to be installed. So even if you aren't actively using the server as an Indexer, as long as you have the option to enable the blade that's good enough).

HTH

 Yonatan 

0 Kudos
Employee+
Employee+

Re: Log Exporter guide

Hi, I'd need to add a string at the beginning of the exported logs, is it possible?

Not working on RSA NetWitness / Security Analytics:

"CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|domain-udp|Unknown|act=Accept destinationTranslatedAddress=0.0.0.0 destinationTranslatedPort=0 deviceDirection=0 .....

Working fine on RSA NetWitness / Security Analytics:

"<1> CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|domain-udp|Unknown|act=Accept destinationTranslatedAddress=0.0.0.0 destinationTranslatedPort=0 deviceDirection=0 .....

the addition of the string "<1>" at the beginning of the exported log is needed in order to have the exported log correctly ingested and parsed in the RSA SIEM.

Many thanks

kind regards

Luca

0 Kudos
Employee+
Employee+

Re: Log Exporter guide

Solution provided as follows from the great Kobi 😉

Yes we have this option:

Go to CEFFormatDefinition.xml in $EXPORTERDIR/targets/<target name>/conf

 

Change the line:

<header_format>{}|{}|{}|{}|{}|{}|{}|</header_format>

To be:

<header_format>{} {}|{}|{}|{}|{}|{}|{}|</header_format>

 

In addition, under the line:

<headers>

Add this:

<header>  <default_value>&lt;1&gt;</default_value>  <assign_order>init</assign_order>     </header>

 

Save the file and restart the exporter.

0 Kudos

Re: Log Exporter guide

Hi all, 

Default behaviour appears to be that suppressed logs are not exported to 3rd party SIEM by LogExporter. Is there a way to modify this so that supressed logs ARE exported? 

FYI, the test bed we're working on is RSYSLOG.

Cheers,

Will

Re: Log Exporter guide

Hi,

 

Any help regarding this question? 

I am exporting logs to Splunk with semi-unified mode on, but we are getting all the logs not only the supressed ones.

For example for one loguid we are getting 4 different logs. As in the question mentioned here: https://community.checkpoint.com/t5/Logging-and-Reporting/Log-exporter-not-summary-logging-to-one-ev...

Would be very helpful if it is possible just to export the last summarized event...

Thanks

0 Kudos
Employee
Employee

Re: Log Exporter guide

Can we filter logs that are being sent out through log exporter, by rules ID or name? For example, I would like to have only outbound traffic to internet to be sent out through log exporter. I understand we can modify the targetConfiguration.xml file, and the only fields that can be filtered are as the following:

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['product']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['__policy_id_tag']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['inzone']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['outzone']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['service_id']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['src']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['s_port']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['dst']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['service']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['proto']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['xlatesrc']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['xlatedst']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['xlatesport']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['xlatedport']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['nat_rulenum']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['nat_addtnl_rulenum']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['match_table']

Let me know if there is any other way. thanks.

Re: Log Exporter guide

Hello,

So nice to see your investment into this topic, Yonathan.

We're having some trouble configuring Log Exporter to work with qRadar.

we have updated our Management server to r80.10 JHF 154 just to install new log exporter following PS recommendation. 

We have followed the SK, but the TLS instructions aren't so clear - what certificate\keys goes where, some weird symbols and notes scattered etc.

I think the Qradar screenshot could use some values in it.

has anyone managed to configure this with qRadar and mutual TLS?

0 Kudos

Re: Log Exporter guide

Hi,

I'm trying to filter using the predefined TP "product" with the filter-blade-in option per the example given in sk122323.  Currently all logs are being exported.  I get the following output:

cp_log_export set name <name obfuscated> filter-blade-in "TP"
Error: Argument [filter-blade-in] is undefined for command: [set]

This is on an R80.20 GA w/JHFA 33 open management server with logging.

One other point of clarification - the description for TP in the sk does not include IPS.  I only see that in the EndPoint description.  Was this an omission in the description or is it really not included in the TP filter?

Thanks for the help!

0 Kudos
Employee+
Employee+

Re: Log Exporter guide

Hi Richard,

Sadly, the new log-exporter filtering feature isn't yet supported on R80.20 / R80.30.

from the official log-exporter sk122323 (Installation section):

"Note: Filtering ability is not integrated to R80.20 and R80.30 yet, this SK will be updated when it will be supported."

Coming soon...

 

*In-general, TP filter includes all Threat blades (including IPS blade).

0 Kudos
Employee
Employee

Re: Log Exporter guide

I have a case about integration with Aruba ClearPass , Aruba hope checkpoint SMS send syslog to ClearPass ,and give me a conf file like this。 which XML file should I edit? and which  Field?

CheckPoint_IngressEvent.xml:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsHeader exportTime="Mon May 27 16:36:00 CST 2019" version="6.7"/>
<IngressEvents>
<IngressEvent>
<Vendor>Check Point</Vendor>
<Description>Check Point log message</Description>
<FormatName>CheckPoint-Log</FormatName>
<Format>TIME LOG_TYPE ORIGIN SERVICE PID ACTION SRC_INTERFACE MESSAGE</Format>
<Prefix>CheckPoint-Log</Prefix>
<Enabled>false</Enabled>
<Sample>Mon Jul 20 15:56:36 Log host CPLogToSyslog: 49154 redirect &lt;eth1 web_client_type: Firefox; resource: http://sc1.checkpoint.com/za/images/threatwiki/pages/testantibotblade.html; src: 10.70.11.11; dst: 194.29.36.43; proto: 6; session_id: {0x55acf003,0x1,0xb4617ac,0xc0000002}; Protection name: Check Point - Testing Bot; malware_family: Check Point; Confidence Level: 5; severity: 2; malware_action: Communication with CandC; rule_uid: {6AA76C68-D45C-4E78-BAD1-34C42548BF41}; Protection Type: URL reputation; malware_rule_id: {645B69FE-85AC-F748-AA79-5652BF58BF6A}; protection_id: 00233CFEE; log_id: 2; proxy_src_ip: 10.70.11.11; scope: 10.70.11.11; aba_customer: Default; date: 20Jul2015; hour: 15:56:35; type: log; Interface: &gt; eth1; product: Anti Malware; service: 8080; s_port: 39490;</Sample>
<Filter>filter {
grok {
match =&gt; { 'message' =&gt; '%{SYSLOGTIMESTAMP:time}%{SPACE}%{WORD:log_type}%{SPACE}%{WORD:origin}%{SPACE}%{WORD:service}:%{SPACE}%{WORD:pid}%{SPACE}%{WORD:action}%{SPACE}%{DATA:src_interface} %{GREEDYDATA:syslog_message}'}
add_tag =&gt; [ "CP" ]
}
if("CP" in [tags]){
mutate {
replace =&gt; [ '@message', '%{syslog_message}' ]
}
kv {
source =&gt; '@message'
prefix =&gt; 'Event:CheckPoint-Log:'
field_split =&gt; ';'
value_split =&gt; ':'
trim =&gt; ' '
trimkey =&gt; ' '
}
mutate {
remove_field =&gt; ['@version','path','syslog_message','@message','message']
add_field =&gt; [ 'Event:Event-Name', '%{service}' ]
add_field =&gt; [ 'Event:Timestamp', '%{time}' ]
add_field =&gt; [ 'Event:Pattern-Name', 'CheckPoint-Log' ]

}
ruby {
code =&gt; "
data = event.clone.to_hash;
data.each do |k,v|
if (k != '@timestamp' and !k.start_with?('Event:') and !k.start_with?('@'))
newFieldName = 'Event:CheckPoint-Log:'+ k
event[newFieldName] = v
event.remove(k)
end
end
tstamp = Time.now.to_i
tstamp_str = Time.at(tstamp).strftime('%Y-%m-%d %H:%M:%S')
event['Event:Timestamp'] = tstamp_str
"
}
}
}</Filter>
<FieldMapping>
<Field AllowedValues="" DataType="Time" Name="time"/>
<Field AllowedValues="" DataType="String" Name="log_type"/>
<Field AllowedValues="" DataType="String" Name="origin"/>
<Field AllowedValues="" DataType="String" Name="pid"/>
<Field AllowedValues="" DataType="String" Name="action"/>
<Field AllowedValues="" DataType="String" Name="service"/>
<Field AllowedValues="" DataType="String" Name="src_interface"/>
<Field AllowedValues="" DataType="String" Name="web_client_type"/>
<Field AllowedValues="" DataType="String" Name="resource"/>
<Field AllowedValues="" DataType="String" Name="src"/>
<Field AllowedValues="" DataType="String" Name="dst"/>
<Field AllowedValues="" DataType="String" Name="proto"/>
<Field AllowedValues="" DataType="String" Name="session_id"/>
<Field AllowedValues="" DataType="String" Name="Protectionname"/>
<Field AllowedValues="" DataType="String" Name="malware_family"/>
<Field AllowedValues="" DataType="String" Name="ConfidenceLevel"/>
<Field AllowedValues="" DataType="String" Name="severity"/>
<Field AllowedValues="" DataType="String" Name="malware_action"/>
<Field AllowedValues="" DataType="String" Name="rule_uid"/>
<Field AllowedValues="" DataType="String" Name="ProtectionType"/>
<Field AllowedValues="" DataType="String" Name="malware_rule_id"/>
<Field AllowedValues="" DataType="String" Name="protection_id"/>
<Field AllowedValues="" DataType="String" Name="log_id"/>
<Field AllowedValues="" DataType="String" Name="proxy_src_ip"/>
<Field AllowedValues="" DataType="String" Name="scope"/>
<Field AllowedValues="" DataType="String" Name="aba_customer"/>
<Field AllowedValues="" DataType="String" Name="date"/>
<Field AllowedValues="" DataType="String" Name="hour"/>
<Field AllowedValues="" DataType="String" Name="Interface"/>
<Field AllowedValues="" DataType="String" Name="product"/>
<Field AllowedValues="" DataType="String" Name="s_port"/>
</FieldMapping>
<GenericFieldMapping>
<Field GenericName="Event-Name" Name="service"/>
<Field GenericName="Timestamp" Name="time"/>
</GenericFieldMapping>
</IngressEvent>
</IngressEvents>
</TipsContents>
0 Kudos
S_E_
Nickel

Re: Log Exporter guide

hi,

interesting feature.

2 questions regarding this one:

 

1.  is it possible to export the main CMA ? (content of /opt/CPmds-R80.30/log)

      I tried the command but a warning appears: Failed to change env to customer: <IP.IP.IP.IP> 

2. Is it possible to export a single domain to multiple destinations? target-server 1 & target-server 2

 

Thanks

Best Regards

 

 

 

0 Kudos
Employee+
Employee+

Re: Log Exporter guide

Hi S_E_ (Nickel),

1. Yea. You just need to use the domain-server mds for the mds/global level.

      "On MDS/MLM: domain-server argument is mandatory, you can use 'mds' as the value for domain-server in order to export mds level audit logs"

2. Yea. You just need to add another log-exporter on that same domain-server, but with a different target-server <IP>.

      quick shortcut way to create another identical exporter is simply copying entire folder (It'll also register it as new. Simply edit what you need afterwards, by either using the set command or manually) by:

       mdsenv <relevant domain-name/IP>

       cp -rf $EXPORTERDIR/targets/<name> $EXPORTERDIR/targets/<new_name>

phlrnnr
Silver

Re: Log Exporter guide

Feature request - it seems that the 'target-server' must be an IP address.  It would be great if this can be updated to either a domain name or an IP address.  That would allow for flexibility when a customer is controlling which syslog server you are hitting via DNS.  Thanks for considering.

0 Kudos