cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Log exporter not summary logging to one event

I'm not sure why the log separate to 4 event not summary to one event. But from smart console I can see all detail in single page.

1.CheckPoint - [action:"Prevent"; flags:"280832"; ifdir:"inbound"; ifname:"bond30.156"; loguid:"{0x5b691e76,0xf,0x670111ac,0xc0000017}"; origin:"XX"; originsicname:"XX,O=XX"; sequencenum:"282"; time:"1533615734"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={2DB996A2-E1A3-A14C-84EA-8F3D716B0D7B};mgmt=XX;date=1533271919;policy_name=Unified_Policy\]"; dst:"XX.XX.XX.XX"; log_id:"2"; malware_rule_id:"{D99A6D5D-8BAE-40F8-B35A-5D6C1CFBDFE7}"; policy:"Unified_Policy"; policy_time:"1533297083"; product:"SmartDefense"; proto:"17"; rule_name:"Allow Untrust - Custom"; rule_uid:"c25fc1f6-41f4-4279-9e13-aa32e1aecbc9"; s_port:"60229"; service:"53413"; session_id:"{0x5b691e76,0xf,0x670111ac,0xc0000017}"; smartdefense_profile:"Optimized (Clone)"; src:"185.234.217.134"; layer_uuid:"{C17851E7-374F-4024-892C-82868FDA31F7}"; malware_rule_id:"{D99A6D5D-8BAE-40F8-B35A-5D6C1CFBDFE7}"; smartdefense_profile:"Optimized"; ]

2. CheckPoint - [action:"Accept"; flags:"417028"; ifdir:"inbound"; ifname:"bond30.156"; logid:"0"; loguid:"{0x5b691e76,0xe,0x670111ac,0xc0000017}"; origin:"XX"; originsicname:"CN=XX,O=XX"; sequencenum:"284"; time:"1533615734"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={2DB996A2-E1A3-A14C-84EA-8F3D716B0D7B};mgmt=XX;date=1533271919;policy_name=Unified_Policy\]"; dst:"XX.XX.XX.XX"; inzone:"External"; layer_name:"Unified_Policy Network Rule"; layer_uuid:"261a755f-b462-4f95-9194-be1d76d9839c"; match_id:"197"; parent_rule:"0"; rule_action:"Accept"; rule_name:"Allow Untrust - Custom"; rule_uid:"c25fc1f6-41f4-4279-9e13-aa32e1aecbc9"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60229"; service:"53413"; service_id:"udp-high-ports"; src:"185.234.217.134"; ]

3.CheckPoint - [flags:"147456"; ifdir:"inbound"; loguid:"{0x5b691e76,0xf,0x670111ac,0xc0000017}"; origin:"XX; originsicname:"CN=XX,O=XX"; sequencenum:"286"; time:"1533615734"; version:"5"; attack:"Security Products Enforcement Violation"; attack_info:"Netis/Netcore Router Hard-Coded Backdoor"; confidence_level:"5"; description_url:"NETIS_R_help.html"; performance_impact:"3"; product:"SmartDefense"; protection_id:"asm_dynamic_prop_NETIS_R"; protection_name:"Netis/Netcore Router Hard-Coded Backdoor"; protection_type:"IPS"; severity:"3"; smartdefense_profile:"Optimized"; src:"185.234.217.134"; ]

4. CheckPoint - [flags:"18688"; ifdir:"inbound"; loguid:"{0x5b691e76,0xf,0x670111ac,0xc0000017}"; origin:"XX"; originsicname:"CN=XX,O=XX"; sequencenum:"288"; time:"1533615734"; version:"5"; log_id:"2"; packet_capture_name:"src-185.234.217.134.eml"; packet_capture_time:"1533615734"; packet_capture_unique_id:"185.234.217.134_maildir_sent_new_time1533615734.mail-895411386-1818202990.localhost"; product:"SmartDefense"; ]

0 Kudos
1 Reply
Employee+
Employee+

Re: Log exporter not summary logging to one event

Hello Kosin,

This is actually the other way around.

Those are 4 distinct logs generated by the GW (one original log plus three updates which all share the same loguid) that are combined into one unified view in the GUI.

We are actually planning to address this via a mode we are introducing called semi-unified mode which I discussed in some more details at https://community.checkpoint.com/thread/7248-log-exporter-guide#comment-24572 .

HTH

 Yonatan