cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Re: Log Exporter guide

Hi, Just to confirm I am reading this correctly.  I have a vsx with 5 firewalls and need to send logs from just 3 to a qradar siem. In cplogtosyslog I could filter on the CN=,O= to send these logs. 

If I read this thread correctly I cannot do that with Logexporter?

0 Kudos
Employee+
Employee+

Re: Log Exporter guide

Hi Petrus,

This is correct.

We have some filtering options (as described in this post), but advanced filters are still a major gap and a major item on our roadmap.

Filtering to only one GW is, unfortunately, an example of the gap.

0 Kudos

Re: Log Exporter guide

Hello,

We upgraded one of our lower lifecycle environments to R80.20 EA about a month ago, and I'm trying to configure the log exporter tool to send data to our staging Splunk environment (so that we can replace OPSEC LEA).  The management server is MDS with three domains, and I've successfully added the exporter (syslog) to one of the domains.  I've deleted and recreated the exporter using a variety of settings, but I'm seeing the same behavior each time.

Our Splunk administrator reports that data is successfully making it to his end (i.e. a file is created in the directory where all of the syslog data lands), but when you open up the file it just shows the timestamp, our MDS server name, the word CheckPoint, and the current process ID of the log exporter daemon (see below).  It looks like it's going all the way back to the start of the previous days' log, but it's not populating it with the actual information.

Jul 10 02:48:31 <MDS_SERVER_NAME> CheckPoint[13032]

Jul 10 02:48:31 <MDS_SERVER_NAME> CheckPoint[13032]

Jul 10 02:48:31 <MDS_SERVER_NAME> CheckPoint[13032]

Jul 10 02:48:31 <MDS_SERVER_NAME> CheckPoint[13032]

Jul 10 02:48:31 <MDS_SERVER_NAME> CheckPoint[13032]

Jul 10 02:48:31 <MDS_SERVER_NAME> CheckPoint[13032]

Jul 10 02:48:31 <MDS_SERVER_NAME> CheckPoint[13032]

Am I missing something easy here?

Thanks,

Ryan

0 Kudos
Employee+
Employee+

Re: Log Exporter guide

Hi Ryan,

This sounds like something that should definitely be investigated.

I think that this can probably best be addressed via a remote session.

I think the best approach here is to open a ticket with TAC and have one of their engineers look at the settings.

There is something fishy in this output and this format: 

Jul 10 02:48:31 <MDS_SERVER_NAME> CheckPoint[13032]

This doesn't look like any of the preconfigured formats we use. I suspect that this specific header is not actually generated by checkpoint but probably by some other server somewhere in the path.

But figuring this out from a forum post is unlikely. 

As I stated before - the best approach is probably via a ticket with TAC.

HTH 

 Yonatan 

0 Kudos

Re: Log Exporter guide

Hello,

I have recently deployed this tool onto a few of our R80.10 log servers and have it configured to send logs to an Arcsight collector via CEF.  The arcsight admin has mentioned the headers seem to be a bit different compared to what they are seeing from our R77.30 gateway.

From our R80.10 log 

CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown| eventId=458052771 proto=TCP catdt=Firewall art=1531238932768

And from our R77.30 gateway

CEF:0|Check Point|VPN-1 & FireWall-1||accept|accept|Low| eventId=55639967897

Specifically they were asking why these logs were showing up with accepts/denies previously where as now it looks like we are just sending "log"/"log" over to them.  

Is this something that is configurable on the checkpoint end?

Thanks.

0 Kudos
Employee+
Employee+

Re: Log Exporter guide

Hi Bryan,

It feels as if we haven't spoken in a very long time Smiley Happy

The CEF header is actually identical in both R77.30 and R80.10. It uses the exact same code.

The difference is likely from the logs themselves which have changed over time (especially when you compare R77.30 to R80.10).

You can actually see how the CEF header is built in the CefFormatDefinition.xml file.

CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

You're asking about the 5th and 6th position - 'Signature ID' and 'Name'.

The Signature ID is defined as (I edited this to make it more readable):

<default_value>Log</default_value>    // If nothing else fits use this value
<assign_order>first</assign_order>     // use the first value you find from the following list of possible values
attack , protection_type , verdict, match_table, protection_type, verdict, matched_category, dlp_data_type_name,  primary_application, app_category, app_properties

The Name is defined as:

<default_value>Log</default_value>   // If nothing else fits use this value
<assign_order>first</assign_order>    // use the first value you find from the following list of possible values
protection_name, primary_application, appi_name, message_info, protection_name, service_id

So there are multiple possible values depending on the specific log you use, with a default value of 'Log' in case you don't find any other valid value.

Not sure how the second 'accept' got there as it doesn't seem to fit any of the categories, but you'll have to look at the specific example.

In any case, once you understand the logic it's easy to reverse engineer the header and see how it was created. It follows very basic assignment rules.

Hope this helped clarify some of the issues.

Yonatan 

Re: Log Exporter guide

Thank you so much again for the chat regarding vSec Yonatan Smiley Happy  

I must be blind, because I do not see a CefFormatDefinition.xml file in the $EXPORTERDIR or $EXPORTERDIR/targets directory.

0 Kudos
Employee+
Employee+

Re: Log Exporter guide

Hi Bryan,

You are correct. I forgot to specify that all FormatDefinition files (Cef, syslog, etc.) are under the conf folder.

$EXPORTERDIR/targets/<name>/conf/CefFormatDefinion.xml

HTH

 Yonatan 

Re: Log Exporter guide

Yonathan, If I were to install a separate Log server with SIC to management, would I be able to run Log Exporter from there? We have a number of customers that run a Log server in their own environment that we just setup as an additional Log server and now the customer wants to send his Log data to 2 different destinations. As they log about 10GB a day we don't want this data to be sent twice from our management server with 50 customers on it.

So the main question here is will we be able to run 2 log exporter sessions, one in syslog format to a IBM system and a CEF exporter to a Arcsight SIEM?

Regards, Maarten
0 Kudos
Employee+
Employee+

Re: Log Exporter guide

Hi Maarten,

Yes, you can run the Log Exporter from any CheckPoint server installed as a log server.

You can also have multiple deployments on the same server using different configurations.

By BM do you mean QRadar? if so, I believe QRadar can also work with CEF.

I would also point you to my comment about LEEF (the native QRadar format):

What’s the deal with LEEF – is it support or not?

Yes… with some caveats.

We are not yet fully LEEF compliant in that the timestamp is sent in epoch (which is not supported by LEEF). We do however have an ongoing collaboration with IBM and they plan to update LEEF to support epoch format as well.
Once they do that we will be LEEF compliant.
Unfortunately, I don’t have access to any of their timetables and don’t know when they are actually going to do this.

And while it's been several months since I've posted this, the status of LEEF hasn't changed. It's something we hope to fully support in the future, but are dependant on IBM to first implement some changes on their end.

HTH 

 Yonatan 

Re: Log Exporter guide

Hello Yonatan,

I'm testing 80.10 & log export utility, and specifically looking for IPS,AV logs, I''ve just noticed that AV logs including source port but IPS logs does not. (source port for related event included in traffic info,as a new line)

results are the same for CEF & Syslog

part of anti-virus log (all fields,sourceport included)

......;s_port=35679;service=80;malware_action=Malicious file/exploit download;protection_name=Malicious Binary.TC.xxxxxx;protection_id=07597e9Dd;protection_type=protection;severity=1........

sourceport included first event of IPS log  (prevent log)

.....time=1533316810;src=xxx;dst=xxx;s_port=35681;service=80;action=Prevent;flags=411904;......
no sourceport in second event (part of IPS event)
t....;protection_name=Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271);protection_id=asm_dynamic_prop_CVE_2017_10271;... there are more fields but no sourceport
is this expected a behaviour or am I missing something (log unification ?) 
I've also R77.30 setup, 7730 management addon installed,syslog configured through dashboard, it's possible to get the whole information as one line including sourceport and attack info.
0 Kudos
Employee+
Employee+

Re: Log Exporter guide

Hi Onur,

You probably hit the nail directly on the head with your comment about log unification.

The thing to remember about the Log Exporter is that it's mostly an infrastructure service feature. We take the data (logs), manipulate how it looks (without adding or subtracting data from the payload*) and forward it on.

Each blade owner (IPS, AV, APPI etc.) decides on his own how the logs are generated and updated over time.

(* - We do add headers, and if you use filters we also remove data. We also allow the use of callback functions that manipulate data. )

As for the changes between R77.30 to R80+ those are again, likely related to the changes in the logs themselves.

The logs do change over time, from either new features developed or from the desire to improve the logs themselves - their readability, and overall usefulness. 

We actually have several ongoing projects to improve user experience with logs that will change things about their look and feel and sometimes even content. Most of those projects will mature and be published in future versions, and some will wither and die if we decide they don't actually improve the current state. We are always striving to improve the user experience wherever and whenever we can, and that means that logs change over time.

I can add that one of the features we are currently developing for the Log Exporter is a new optional mode called semi-unified which will combine some feature of raw mode and unified mode.

This mode actually already existed in the LEA OPSEC feature, and we are now integrating it into the Log Exporter.

Update logs will still be sent as they arrive, but will now be sent as a unified log. This will slightly increase the bandwidth (I say slightly because updates, in general, are a very small percentage of the overall number of logs) but should make the update logs more readable.

Let me give you an example of a log + update logs in raw mode vs semi-unified mode. This is probably not the most interesting example, but it's one I have on hand and makes the differences easy to understand. It's an Application Control update of an ongoing session, updating the browse time and the number of bytes (I obfuscated sensitive data, and removed some of the fields that don't really have an impact on this example):

Raw mode:

Event:
time=1504750545|hostname=hugo1-take-421|loguid={0x59b0abd1,0x19d,0x101a8c0,0xc0000000}|product=Application Control|action=Allow|origin=X.X.X.X|app_category=Computers / Internet|app_desc=Google offers a variety of tools and online services and encourages developers to use their tools' APIs. A key element in these products is data communication with Google's servers, which may be generated without an active request by the user. Supported from: R75.|app_id=60340676|app_properties=Computers / Internet, SSL Protocol, Low Risk, Search Engines / Portals|app_risk=2|app_rule_id={6999AABA-B5F8-4EA6-8959-E355723635B2}|app_sig_id=60340676:15|appi_name=Google Services|dst=X.X.X.X|matched_category=Computers / Internet|proto=17|proxy_src_ip=X.X.X.X|s_port=51580|service=443|src=X.X.X.X|

Update_1:

time=1504750556|hostname=hugo1-take-421|loguid={0x59b0abd1,0x19d,0x101a8c0,0xc0000000}|product=Application Control|action=Allow|origin=X.X.X.X|app_id=60340676|browse_time=1|bytes=52|dst=X.X.X.X|proto=17|received_bytes=0|s_port=51580|sent_bytes=52|service=443|src=X.X.X.X|suppressed_logs=4|

Update_2:

time=1504751146|hostname=hugo1-take-421|loguid={0x59b0abd1,0x19d,0x101a8c0,0xc0000000}|product=Application Control|action=Allow|origin=X.X.X.X|app_id=60340676|browse_time=10|bytes=1642|dst=X.X.X.X|proto=17|received_bytes=0|s_port=51580|sent_bytes=1642|service=443|src=X.X.X.X|suppressed_logs=4|

Semi unified:

Event:

time=1504750545|hostname=hugo1-take-421|loguid={0x59b0abd1,0x19d,0x101a8c0,0xc0000000}|product=Application Control|action=Allow|origin=X.X.X.X|app_category=Computers / Internet|app_desc=Google offers a variety of tools and online services and encourages developers to use their tools' APIs. A key element in these products is data communication with Google's servers, which may be generated without an active request by the user. Supported from: R75.|app_id=60340676|app_properties=Computers / Internet, SSL Protocol, Low Risk, Search Engines / Portals|app_risk=2|app_rule_id={6999AABA-B5F8-4EA6-8959-E355723635B2}|app_sig_id=60340676:15|appi_name=Google Services|dst=X.X.X.X|matched_category=Computers / Internet|proto=17|proxy_src_ip=X.X.X.X|s_port=51580|service=443|src=X.X.X.X|

Update_1:

time=1504750545|hostname=hugo1-take-421|loguid={0x59b0abd1,0x19d,0x101a8c0,0xc0000000}|product=Application Control|action=Allow|origin=X.X.X.X|app_category=Computers / Internet|app_desc=Google offers a variety of tools and online services and encourages developers to use their tools' APIs. A key element in these products is data communication with Google's servers, which may be generated without an active request by the user. Supported from: R75.|app_id=60340676|app_properties=Computers / Internet, SSL Protocol, Low Risk, Search Engines / Portals|app_risk=2|app_rule_id={6999AABA-B5F8-4EA6-8959-E355723635B2}|app_sig_id=60340676:15|appi_name=Google Services|browse_time=1|bytes=52|dst=X.X.X.X|lastupdatetime=1504750556|matched_category=Computers / Internet|proto=17|proxy_src_ip=X.X.X.X|received_bytes=0|s_port=51580|sent_bytes=52|service=443|src=X.X.X.X|suppressed_logs=4|

Update_2:

time=1504750545|hostname=hugo1-take-421|loguid={0x59b0abd1,0x19d,0x101a8c0,0xc0000000}|product=Application Control|action=Allow|origin=X.X.X.X|app_category=Computers / Internet|app_desc=Google offers a variety of tools and online services and encourages developers to use their tools' APIs. A key element in these products is data communication with Google's servers, which may be generated without an active request by the user. Supported from: R75.|app_id=60340676|app_properties=Computers / Internet, SSL Protocol, Low Risk, Search Engines / Portals|app_risk=2|app_rule_id={6999AABA-B5F8-4EA6-8959-E355723635B2}|app_sig_id=60340676:15|appi_name=Google Services|browse_time=10|bytes=1694|dst=X.X.X.X|lastupdatetime=1504751146|matched_category=Computers / Internet|proto=17|proxy_src_ip=X.X.X.X|received_bytes=0|s_port=51580|sent_bytes=1694|service=443|src=X.X.X.X|suppressed_logs=8|

So let's try to analyze what we're seeing here.

First off some fields that were removed from the updates have been restored. Examples of such fields in this example are 'Application Name', 'Application Category', 'Application Description' etc. - for IPS logs probably the s_port you talked about will be here as well. In the original update logs, you would have had a hard time understanding to which application the update is relevant. You would have had to use the loguid to find the original log and make the connection.

Some fields with new information had the information replaced - the browse time from 0 to 1 to 10.

Othe fields had their information updated - in the original update the bytes went from 0 to 52 to 1642, while in the new mode they went from 0 to 52 to 1694.

The original updates just show the bytes sent during the updated slice while the semi unified mode keep an accurate count of the overall current bytes.

Edit: Some fields have their values preserved - in the original mode each update has its own time, but in the new mode each update still shows the time when the event occurred (the original timestamp).

Each field has its own logic of how the update is performed based on its content.

HTH

 Yonatan

0 Kudos

Re: Log Exporter guide

thank you for detailed information Yonatan, is there any ETA for this release ?

0 Kudos
Employee+
Employee+

Re: Log Exporter guide

Hi Onur,

Unfortunately, I can't comment on that.

While I'm a Check Point employee and I worked on the Log Exporter project and have been trying to give the 'inside scoop' on the project, I am by no means an official Check Point spokesperson.

As I've tried to make very clear in several locations on this thread everything I say is based on my own personal knowledge and opinion, and I've tried very hard to skate subjects about the future of the product or to emphasize that I was just expressing my personal opinion.

This thread was my own idea and was created as a public service, and not as part of my position at Check Point.

So just in case, this wasn't clear before - everything I say here is just my own personal opinion. I work in the product organization (R&D and QA) and have zero impact (and often very little knowledge) of the future of the product in terms of features and dates (unless it's stuff that I'm already actively working on).

(my suggestions and opinion are taken into account, but I don't decide what ends up on the list or its position on the prioritization list).

I sometimes have to walk a fine line between what I know and what I can say, and talking about dates and ETAs is taking a journey into dangerous territory for me 🙂

HTH

 Yonatan

0 Kudos

Re: Log Exporter guide

thanks Yonatan, 

regards

0 Kudos

Re: Log Exporter guide

Hello Yonatan,

Execute cp_log_expoter , the syslog server does not receive any log .

check log_index.elg :

[log_indexer 13179 53189520]@C4600[14 Aug 22:02:15] Files read rate [log] : Current=7 Avg=139 MinAvg=10 Total=330956 buffers (0/0/0/0)

[log_indexer 13179 53189520]@C4600[14 Aug 22:02:15] Sent current: 0 average: 0 total: 0

[log_indexer 13179 53189520]@C4600[14 Aug 22:02:20] Files read rate [log] : Current=13 Avg=139 MinAvg=10 Total=331020 buffers (0/0/0/0)

[log_indexer 13179 53189520]@C4600[14 Aug 22:02:20] Sent current: 0 average: 0 total: 0

[Expert@C4600:0]# cp_log_export status

name: tolog
status: Running (13179)
last log read at: 14 Aug 21:48:29
debug file: /opt/CPsuite-R77/fw1/log_exporter/targets/tolog/log/log_indexer.elg

[Expert@C4600:0]# cp_log_export show

name: tolog
enabled: true
target-server: 192.168.x.x
target-port: 514
protocol: udp
format: syslog

my  gateway and managment  on the same device. version: R77.30 upgrade to Check_Point_R77_30_JUMBO_HF_1_Bundle_T302_FULL

0 Kudos
Employee+
Employee+

Re: Log Exporter guide

Hello Su,

From your log (Current=13 Avg=139 MinAvg=10 Total=331020 ) as well as the status command it appears that logs are being exported.

If you want to actually see this you can use tcpdump command: 'tcpdump port 514 -A -s0' (if you are using port 514 for anything else, you can add other qualifiers to narrow down the output).

This will show you the actual data being exported in a readable format. For example:

[Expert@ypsa:0]# tcpdump port 514 -A -s0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:25:25.094828 IP ypsa.47206 > XX.XX.XX.XX.syslog: SYSLOG local0.info, length: 1044
E..0..@.@..xd P...f......<134>1 2018-08-14T14:25:23Z ypsa CheckPoint 17857 - [action:"Accept"; ifdir:"inbound"; ifname:"eth0";  [deleted the payload] product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"35700"; service:"22"; service_id:"ssh"; src:"XX.XX.XX.XX"; ]

1 packets captured
2 packets received by filter
0 packets dropped by kernel
[Expert@ypsa:0]#

(I deleted most of the payload since it just takes up space and not really relevant for this example - I just wanted to show that you can see and read the actual logs as they are being exported)

Since it looks like your logs are actually being exported, I would focus on the other end and try to see if it's being received and parsed correctly.

Use tcpdump or Wireshark on the other end. If it's not there, it's a connectivity issue, and if it's there it's probably a parsing issue.

HTH 

 Yonatan 

0 Kudos

Re: Log Exporter guide

Hey Yonatan,

Glad I found this post

Please let me know where it stands for supporting JSON format output.

My X-Pack charged ELK is waiting to search thru this data and I am currently working on parsing it myself which is not an easy task so far.

I believe JSON format will be friendly to work with in python scripts and rest API as well

0 Kudos
Employee+
Employee+

Re: Log Exporter guide

HI Bogdan,

I don't think that official json output will be added anytime soon - there are currently many other items ahead of it in the queue.

However, earlier in this thread, I showed how you can edit the settings to generate json like output.

https://community.checkpoint.com/message/25414-re-log-exporter-guide?commentID=25414&et=watches.emai... 

It does have the disadvantage of potentially having duplicate keys, but a fast google search returned some answers on how to deal with that: 

Elasticsearch, Kibana and duplicate keys in JSON -  

Please let me know if this worked.

Yonatan 

0 Kudos
Employee+
Employee+

Re: Log Exporter guide

      Product (Blade) names.

As you might have noticed the names that are exported are not the same as the ones which appear in the GUI. 

This is because each blade has a display name which is shown in the GUI and an actual value which appears in the raw log. Those names are often the same but not always.

For technical reasons, it's very difficult to change the actual value that the gateway sends but easy to change the display name. So while the actual value and the display name usually start the same, the values might drift over time.

This has caused a bit of confusion among some customers.

So as a sort of public service here is the current mapping of raw log values to display name.

This list also includes some legacy names. Frankly, there were a few names on this that I've never heard of and didn't know existed Smiley Happy

Field Name

Anti Malware

Core

Identity Awareness

SmartView MonitorMonitor

Display Name

Anti-Bot

Core

Identity Awareness

SmartView Monitor

Field Name

Anti-Malware

DefensePro

Identity Logging

Syslog

Display Name

Anti-Malware

DDoS Protector

Identity Logging

Syslog

Field Name

Anti-Exploit

DLP

Management Blade

System Monitor

Display Name

Anti-Exploit

DLP

Management Blade

System Monitor

Field Name

Anti-Ransomware

Content Awareness

MEPP

Threat Emulation

Display Name

Anti-Ransomware

Content Awareness

Media Encryption &amp; Port Protection

Threat Emulation

Field Name

WIFI Network

Edge AV

Connectra

Threat Extraction

Display Name

WIFI Network

Edge AV

Mobile Access

Threat Extraction

Field Name

Mobile App

Compliance

Policy Server

Anti Virus

Display Name

Mobile App

Endpoint Compliance

Policy Server

Traditional Anti-Virus

Field Name

Network Security

Integrity

Web Filtering

UAG

Display Name

Network Security

EndpointEndpoint Security

Legacy URL Filtering

UA Server

Field Name

OS Exploit

Everest

CVPN

WebAccess

Display Name

OS Exploit

FireWall-1 GX

CVPN

UA WebAccess

Field Name

Device

Firewall

FG

URL Filtering

Display Name

Device

Firewall

QoS

URL Filtering

Field Name

Text Message

VPN-1 & FireWall-1

rtm

VPN-1 Edge

Display Name

Text Message

Security Gateway/Management

Real Time Monitor

UTM-1 Edge

Field Name

iOS Profiles

Forensics

SecureClient

VPN

Display Name

iOS Profiles

Forensics

SecureClient

VPN

Field Name

Cellular Network

FDE

Server

VPN-1

Display Name

Cellular Network

Full Disk Encryption

Server

VPN

Field Name

Anti Spam

Capsule Docs

SmartConsole

VPN-1 Embedded Connector

Display Name

Anti-Spam and Email Security

Capsule Docs

SmartConsole

VPN Embedded Connector

Field Name

New Anti Virus

HTTPS Inspection

Eventia Analyzer Client

WebCheck

Display Name

Anti-Virus

HTTPS Inspection

SmartEvent Client

WebCheck

Field Name

Application Control

SmartDefense

SmartEvent

Zero Phishing

Display Name

Application Control

IPS Software Blade

Eventia Analyzer

Zero Phishing

Field Name

Compliance Blade

IPS-1

SmartView

MTA

Display Name

Compliance Blade

IPS-1 Sensor

SmartView

MTA

HTH 

 Yonatan 

0 Kudos
Admin
Admin

Re: Log Exporter guide

It's scary that I recognize almost all these names. Smiley Happy

The only one I didn't know was Everest.

0 Kudos

Re: Log Exporter guide

I think that was the code name for Connectra once

0 Kudos
Vladimir
Pearl

Re: Log Exporter guide

Yonatan, the top row has become a "header" row in the table you have posted.

Had a double-take reading offset entries under it for about 10 lines before it clicked Smiley Happy

0 Kudos
Employee+
Employee+

Re: Log Exporter guide

Partially fixed. I removed the bold, but it won't let me remove the bottom 'header' border for some reason.

Admin
Admin

Re: Log Exporter guide

You probably need to edit the raw HTML (which you can do).

0 Kudos
Employee+
Employee+

Re: Log Exporter guide

Thanks - That seems to have done the trick.

I hate going into the HTML source code. I  get flashbacks from trying to manually fix SKs. 

The horror!

Smiley Happy

Re: Log Exporter guide

Hi Yonatan,

Thank you for the detailed write-up, I found it very helpful!

Is there a way to rate limit the amount logs that are exported? We ran into an issue where our log exporter process was overloading our syslog server with requests.

Thanks!
Matt

0 Kudos
Employee+
Employee+

Re: Log Exporter guide

Hi Matthew,

At this time there is no way to limit the number of logs sent.

This will probably be possible in the future once we implement advanced filter capabilities.

Improving the filters is an item on our roadmap but I don't know when this will be implemented.

0 Kudos

Re: Log Exporter guide

Hi!

Nice writeup and nice tool!

I have small question

I need export only SmartEvent events width EN***** id in message body

Can i do it with LogExporter? Can u help me with configuration?

0 Kudos
Employee+
Employee+

Re: Log Exporter guide

Hi Alexandr, 

This can be done to a limited degree, probably not good enough for your use case. 

This will most likely be possible once we implement advanced filtering options - unfortunately, I don't know exactly when that will actually happen (it's on the roadmap but we are currently working on another feature ahead of filters).

0 Kudos