cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Employee+
Employee+

Re: Log Exporter guide

Jump to solution

Hi Matthew,

At this time there is no way to limit the number of logs sent.

This will probably be possible in the future once we implement advanced filter capabilities.

Improving the filters is an item on our roadmap but I don't know when this will be implemented.

0 Kudos
Highlighted

Re: Log Exporter guide

Jump to solution

Hi!

Nice writeup and nice tool!

I have small question

I need export only SmartEvent events width EN***** id in message body

Can i do it with LogExporter? Can u help me with configuration?

0 Kudos
Highlighted
Employee+
Employee+

Re: Log Exporter guide

Jump to solution

Hi Alexandr, 

This can be done to a limited degree, probably not good enough for your use case. 

This will most likely be possible once we implement advanced filtering options - unfortunately, I don't know exactly when that will actually happen (it's on the roadmap but we are currently working on another feature ahead of filters).

0 Kudos
Highlighted

Re: Log Exporter guide

Jump to solution

Maybe i can use log exporter tool in custom script for sending messages?

0 Kudos
Highlighted
Employee+
Employee+

Re: Log Exporter guide

Jump to solution

Hi,

I'm not sure I understand the question. I suspect the answer is no. The Log Exporter uses the indexing infrastructure (that Checkpoint log servers use). It reads *.fw log files, but instead of 'indexing' them it sends the logs to the interface send queue.

I don't see how you can insert scripts into this chain, nor can this run on a server without the indexing infrastructure (e.g. log servers)

Highlighted

Re: Log Exporter guide

Jump to solution

Jonathan,

Something that is not completely clear to me, when we want to use TLS and we have a official cert at the other end, do I still need to created local files to allow this to be used? Or can I just tell log exporter to use TLS?

Regards, Maarten
0 Kudos
Highlighted
Employee+
Employee+

Re: Log Exporter guide

Jump to solution

The Log Exporter uses mutual authentication - both sides need to authenticate each other.

When we were looking at the TLS implementation of other vendors we noticed that some of them use single sided authentication, but after considering the issue we decided to err on the side of more security and implemented mutual authentication.

Hope that answers your question. it's always a bit difficult for me to address TLS related questions as that's not my area of expertise, and while I was involved in the TLS discussions during the implementations, I was mostly on the sidelines of those discussions and left it to the relevant experts to do the heavy lifting.

HTH 

 Yonatan 

0 Kudos
Highlighted
Copper

Re: Log Exporter guide

Jump to solution

Log_export can export all software blade log to external syslog server ?

0 Kudos
Highlighted
Employee+
Employee+

Re: Log Exporter guide

Jump to solution

Yes.

The Log Exporter can export everything in the fw.log file regardless of the content.

It basically treats everything in the log payload as an alphanumeric string.

All the adaptations, mappings, filters, etc. are all based on string/text manipulation regardless of the content ("blade").

HTH 

 Yonatan 

0 Kudos
Highlighted

Re: Log Exporter guide

Jump to solution

Hi Yonatan, I just configured log exporter so send logs via syslog to SIEM server, however when log sent I don't see protocol field in the log, when sent vi LEA  saw for example - protocol=UDP etc. but now I get only proto=6, proto=17 etc. How do I convert it to protocol name? Is there any proto(number) to protocol(actual protocol name) mapping exist?

0 Kudos
Highlighted

Re: Log Exporter guide

Jump to solution
0 Kudos
Highlighted

Re: Log Exporter guide

Jump to solution

Also the /etc/protocols file on Gaia/Linux.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted

Re: Log Exporter guide

Jump to solution

Thanks!

0 Kudos
Highlighted
Employee+
Employee+

Re: Log Exporter guide

Jump to solution

For those who missed it, Dan has officially announced the new Log Exporter update with better Splunk integration.

*New* Splunk App for Check Point Logs 

Highlighted

Re: Log Exporter guide

Jump to solution

Will it work on Standalone machine?

0 Kudos
Highlighted

Re: Log Exporter guide

Jump to solution

I have it running on a standalone logserver.

Regards, Maarten
0 Kudos
Highlighted
Iron

Re: Log Exporter guide

Jump to solution

Is it possible to run the LogExporter only on a Log Correlation Unit?

0 Kudos
Highlighted
Employee+
Employee+

Re: Log Exporter guide

Jump to solution

You can run the Log Exporter on any server where you can enable the Logging blade (Management, Log server, SmartEvent, etc.).

The Log Exporter uses the Indexing infrastructure so that infrastructure has to be installed on the server. (it doesn't have to actually be active, just needs to be installed. So even if you aren't actively using the server as an Indexer, as long as you have the option to enable the blade that's good enough).

HTH

 Yonatan 

0 Kudos
Highlighted
Employee+
Employee+

Re: Log Exporter guide

Jump to solution

Hi, I'd need to add a string at the beginning of the exported logs, is it possible?

Not working on RSA NetWitness / Security Analytics:

"CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|domain-udp|Unknown|act=Accept destinationTranslatedAddress=0.0.0.0 destinationTranslatedPort=0 deviceDirection=0 .....

Working fine on RSA NetWitness / Security Analytics:

"<1> CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|domain-udp|Unknown|act=Accept destinationTranslatedAddress=0.0.0.0 destinationTranslatedPort=0 deviceDirection=0 .....

the addition of the string "<1>" at the beginning of the exported log is needed in order to have the exported log correctly ingested and parsed in the RSA SIEM.

Many thanks

kind regards

Luca

0 Kudos
Highlighted
Employee+
Employee+

Re: Log Exporter guide

Jump to solution

Solution provided as follows from the great Kobi 😉

Yes we have this option:

Go to CEFFormatDefinition.xml in $EXPORTERDIR/targets/<target name>/conf

 

Change the line:

<header_format>{}|{}|{}|{}|{}|{}|{}|</header_format>

To be:

<header_format>{} {}|{}|{}|{}|{}|{}|{}|</header_format>

 

In addition, under the line:

<headers>

Add this:

<header>  <default_value>&lt;1&gt;</default_value>  <assign_order>init</assign_order>     </header>

 

Save the file and restart the exporter.

0 Kudos
Highlighted

Re: Log Exporter guide

Jump to solution

Hi all, 

Default behaviour appears to be that suppressed logs are not exported to 3rd party SIEM by LogExporter. Is there a way to modify this so that supressed logs ARE exported? 

FYI, the test bed we're working on is RSYSLOG.

Cheers,

Will

Highlighted

Re: Log Exporter guide

Jump to solution

Hi,

 

Any help regarding this question? 

I am exporting logs to Splunk with semi-unified mode on, but we are getting all the logs not only the supressed ones.

For example for one loguid we are getting 4 different logs. As in the question mentioned here: https://community.checkpoint.com/t5/Logging-and-Reporting/Log-exporter-not-summary-logging-to-one-ev...

Would be very helpful if it is possible just to export the last summarized event...

Thanks

0 Kudos
Highlighted
Employee
Employee

Re: Log Exporter guide

Jump to solution

Can we filter logs that are being sent out through log exporter, by rules ID or name? For example, I would like to have only outbound traffic to internet to be sent out through log exporter. I understand we can modify the targetConfiguration.xml file, and the only fields that can be filtered are as the following:

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['product']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['__policy_id_tag']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['inzone']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['outzone']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['service_id']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['src']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['s_port']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['dst']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['service']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['proto']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['xlatesrc']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['xlatedst']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['xlatesport']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['xlatedport']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['nat_rulenum']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['nat_addtnl_rulenum']

[log_indexer 23822 4107270976]@CP-SMS[1 Mar 8:09:34] Read Log Format field name:['match_table']

Let me know if there is any other way. thanks.

Highlighted

Re: Log Exporter guide

Jump to solution

Hello,

So nice to see your investment into this topic, Yonathan.

We're having some trouble configuring Log Exporter to work with qRadar.

we have updated our Management server to r80.10 JHF 154 just to install new log exporter following PS recommendation. 

We have followed the SK, but the TLS instructions aren't so clear - what certificate\keys goes where, some weird symbols and notes scattered etc.

I think the Qradar screenshot could use some values in it.

has anyone managed to configure this with qRadar and mutual TLS?

0 Kudos
Highlighted

Re: Log Exporter guide

Jump to solution

Hi,

I'm trying to filter using the predefined TP "product" with the filter-blade-in option per the example given in sk122323.  Currently all logs are being exported.  I get the following output:

cp_log_export set name <name obfuscated> filter-blade-in "TP"
Error: Argument [filter-blade-in] is undefined for command: [set]

This is on an R80.20 GA w/JHFA 33 open management server with logging.

One other point of clarification - the description for TP in the sk does not include IPS.  I only see that in the EndPoint description.  Was this an omission in the description or is it really not included in the TP filter?

Thanks for the help!

0 Kudos
Highlighted
Employee+
Employee+

Re: Log Exporter guide

Jump to solution

Hi Richard,

Sadly, the new log-exporter filtering feature isn't yet supported on R80.20 / R80.30.

from the official log-exporter sk122323 (Installation section):

"Note: Filtering ability is not integrated to R80.20 and R80.30 yet, this SK will be updated when it will be supported."

Coming soon...

 

*In-general, TP filter includes all Threat blades (including IPS blade).

0 Kudos
Highlighted
Employee
Employee

Re: Log Exporter guide

Jump to solution

I have a case about integration with Aruba ClearPass , Aruba hope checkpoint SMS send syslog to ClearPass ,and give me a conf file like this。 which XML file should I edit? and which  Field?

CheckPoint_IngressEvent.xml:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsHeader exportTime="Mon May 27 16:36:00 CST 2019" version="6.7"/>
<IngressEvents>
<IngressEvent>
<Vendor>Check Point</Vendor>
<Description>Check Point log message</Description>
<FormatName>CheckPoint-Log</FormatName>
<Format>TIME LOG_TYPE ORIGIN SERVICE PID ACTION SRC_INTERFACE MESSAGE</Format>
<Prefix>CheckPoint-Log</Prefix>
<Enabled>false</Enabled>
<Sample>Mon Jul 20 15:56:36 Log host CPLogToSyslog: 49154 redirect &lt;eth1 web_client_type: Firefox; resource: http://sc1.checkpoint.com/za/images/threatwiki/pages/testantibotblade.html; src: 10.70.11.11; dst: 194.29.36.43; proto: 6; session_id: {0x55acf003,0x1,0xb4617ac,0xc0000002}; Protection name: Check Point - Testing Bot; malware_family: Check Point; Confidence Level: 5; severity: 2; malware_action: Communication with CandC; rule_uid: {6AA76C68-D45C-4E78-BAD1-34C42548BF41}; Protection Type: URL reputation; malware_rule_id: {645B69FE-85AC-F748-AA79-5652BF58BF6A}; protection_id: 00233CFEE; log_id: 2; proxy_src_ip: 10.70.11.11; scope: 10.70.11.11; aba_customer: Default; date: 20Jul2015; hour: 15:56:35; type: log; Interface: &gt; eth1; product: Anti Malware; service: 8080; s_port: 39490;</Sample>
<Filter>filter {
grok {
match =&gt; { 'message' =&gt; '%{SYSLOGTIMESTAMP:time}%{SPACE}%{WORD:log_type}%{SPACE}%{WORD:origin}%{SPACE}%{WORD:service}:%{SPACE}%{WORD:pid}%{SPACE}%{WORD:action}%{SPACE}%{DATA:src_interface} %{GREEDYDATA:syslog_message}'}
add_tag =&gt; [ "CP" ]
}
if("CP" in [tags]){
mutate {
replace =&gt; [ '@message', '%{syslog_message}' ]
}
kv {
source =&gt; '@message'
prefix =&gt; 'Event:CheckPoint-Log:'
field_split =&gt; ';'
value_split =&gt; ':'
trim =&gt; ' '
trimkey =&gt; ' '
}
mutate {
remove_field =&gt; ['@version','path','syslog_message','@message','message']
add_field =&gt; [ 'Event:Event-Name', '%{service}' ]
add_field =&gt; [ 'Event:Timestamp', '%{time}' ]
add_field =&gt; [ 'Event:Pattern-Name', 'CheckPoint-Log' ]

}
ruby {
code =&gt; "
data = event.clone.to_hash;
data.each do |k,v|
if (k != '@timestamp' and !k.start_with?('Event:') and !k.start_with?('@'))
newFieldName = 'Event:CheckPoint-Log:'+ k
event[newFieldName] = v
event.remove(k)
end
end
tstamp = Time.now.to_i
tstamp_str = Time.at(tstamp).strftime('%Y-%m-%d %H:%M:%S')
event['Event:Timestamp'] = tstamp_str
"
}
}
}</Filter>
<FieldMapping>
<Field AllowedValues="" DataType="Time" Name="time"/>
<Field AllowedValues="" DataType="String" Name="log_type"/>
<Field AllowedValues="" DataType="String" Name="origin"/>
<Field AllowedValues="" DataType="String" Name="pid"/>
<Field AllowedValues="" DataType="String" Name="action"/>
<Field AllowedValues="" DataType="String" Name="service"/>
<Field AllowedValues="" DataType="String" Name="src_interface"/>
<Field AllowedValues="" DataType="String" Name="web_client_type"/>
<Field AllowedValues="" DataType="String" Name="resource"/>
<Field AllowedValues="" DataType="String" Name="src"/>
<Field AllowedValues="" DataType="String" Name="dst"/>
<Field AllowedValues="" DataType="String" Name="proto"/>
<Field AllowedValues="" DataType="String" Name="session_id"/>
<Field AllowedValues="" DataType="String" Name="Protectionname"/>
<Field AllowedValues="" DataType="String" Name="malware_family"/>
<Field AllowedValues="" DataType="String" Name="ConfidenceLevel"/>
<Field AllowedValues="" DataType="String" Name="severity"/>
<Field AllowedValues="" DataType="String" Name="malware_action"/>
<Field AllowedValues="" DataType="String" Name="rule_uid"/>
<Field AllowedValues="" DataType="String" Name="ProtectionType"/>
<Field AllowedValues="" DataType="String" Name="malware_rule_id"/>
<Field AllowedValues="" DataType="String" Name="protection_id"/>
<Field AllowedValues="" DataType="String" Name="log_id"/>
<Field AllowedValues="" DataType="String" Name="proxy_src_ip"/>
<Field AllowedValues="" DataType="String" Name="scope"/>
<Field AllowedValues="" DataType="String" Name="aba_customer"/>
<Field AllowedValues="" DataType="String" Name="date"/>
<Field AllowedValues="" DataType="String" Name="hour"/>
<Field AllowedValues="" DataType="String" Name="Interface"/>
<Field AllowedValues="" DataType="String" Name="product"/>
<Field AllowedValues="" DataType="String" Name="s_port"/>
</FieldMapping>
<GenericFieldMapping>
<Field GenericName="Event-Name" Name="service"/>
<Field GenericName="Timestamp" Name="time"/>
</GenericFieldMapping>
</IngressEvent>
</IngressEvents>
</TipsContents>
0 Kudos
Highlighted
Nickel

Re: Log Exporter guide

Jump to solution

hi,

interesting feature.

2 questions regarding this one:

 

1.  is it possible to export the main CMA ? (content of /opt/CPmds-R80.30/log)

      I tried the command but a warning appears: Failed to change env to customer: <IP.IP.IP.IP> 

2. Is it possible to export a single domain to multiple destinations? target-server 1 & target-server 2

 

Thanks

Best Regards

 

 

 

0 Kudos
Highlighted
Employee+
Employee+

Re: Log Exporter guide

Jump to solution

Hi S_E_ (Nickel),

1. Yea. You just need to use the domain-server mds for the mds/global level.

      "On MDS/MLM: domain-server argument is mandatory, you can use 'mds' as the value for domain-server in order to export mds level audit logs"

2. Yea. You just need to add another log-exporter on that same domain-server, but with a different target-server <IP>.

      quick shortcut way to create another identical exporter is simply copying entire folder (It'll also register it as new. Simply edit what you need afterwards, by either using the set command or manually) by:

       mdsenv <relevant domain-name/IP>

       cp -rf $EXPORTERDIR/targets/<name> $EXPORTERDIR/targets/<new_name>

View solution in original post

Highlighted

Re: Log Exporter guide

Jump to solution

Hi @Dror_Aharony ,

We aren't receiving audit logs using the Log exporter guide. You mentioned that the domain-server argument needs to be added while configuring the destination. Please help how can I confirm whether the domain-server argument is added in my configuration.

 

My current configuration is given below which I got by running command cp_log_export show "name":

name: ArcSightLog
enabled: true
target-server: (AGENT SERVER IP)
target-port: 514
protocol: udp
format: cef
read-mode: semi-unified

 

Regards,

Mitesh Agrawal

0 Kudos