Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniele80
Explorer

80.40 log exporter not seding audit logs to remote syslog

Hi!

Since the migration to the 80.40 version, the log exporter stopped sending audit logs, traffic logs work but we aren't able to get the audit to our remote Syslog.

Thanks in advance

targetConfiguration.xml:

Click to Expand
?xml version="1.0" encoding="utf-8"?>
<export id="targetObjectUID"><!--object uuid!-->
<version>6</version> <!-- Version of this file-->
<is_enabled>true</is_enabled><!--Is the process allowed to run, and start on cpstart-->
<!-- Destination section defines the properties of the export target -->
<destination type="syslog"> <!-- Target output type -->
<ip>192.168.254.239</ip><!--the ip of the syslog server-->
<port>6200</port><!--the port on which the syslog is listening to-->
<protocol>tcp</protocol><!--udp/tcp-->
<!--the configuration of tls-->
<transport>
<security>clear</security><!--clear/tls-->
<!-- the following section is relevant only if <security> is tls -->
<pem_ca_file></pem_ca_file>
<p12_certificate_file></p12_certificate_file>
<client_certificate_challenge_phrase></client_certificate_challenge_phrase>
</transport>
</destination>
<!-- Filter Configuration -->
<dynamicFilter>conf/FilterConfiguration.xml</dynamicFilter>
<!-- Source section defines the properties of the input stream that will be exported -->
<source>
<log_files></log_files><!-- on-line[default] | read logs from [number] days back (recommended) | specific file name -->
<log_types>audit</log_types><!--all[default]|log|audit/-->
<folder></folder><!--$FWDIR/log[default]|specific path-->
<read_mode>raw</read_mode><!--raw[default]|semi-unified/-->
</source>
<export_log_link>false</export_log_link> <!-- True | False /-->
<export_attachment_link>false</export_attachment_link> <!-- True | False /-->
<export_link_ip></export_link_ip> <!-- empty [defaut] | external IP /-->
<export_attachment_ids>false</export_attachment_ids>
<!-- Format section determines the form (headers and mappings) of the exported logs -->
<format type="syslog"> <!--syslog | cef | leef | generic | splunk | this parameter may differ from the type of destination, for example, destination type = files/format type = CEF -->
<resolver>
<mappingConfiguration></mappingConfiguration><!--if empty the fields are sent as is without renaming-->
<exportAllFields>true</exportAllFields> <!--in case exportAllFields=true - exported element in fieldsMapping.xml is ignored and fields not from fieldsMapping.xml are exported as notMappedField field-->
</resolver>
<!-- Format header configuration (actual to CEF see ./conf directory) -->
<formatHeaderFile></formatHeaderFile>
</format>
<!-- The following section is for future use of log filtering, please do not modify these values -->
<filter filter_out_by_connection="false">
<field name="product">
<value>VPN-1 &amp; FireWall-1</value>
<value>HTTPS Inspection</value>
<value>VPN-1</value>
<value>Security Gateway/Management</value>
<value>Firewall</value>
<value>FG</value>
</field>
<field name="fw_subproduct">
<value>VPN-1 &amp; FireWall-1</value>
<value>HTTPS Inspection</value>
<value>VPN-1</value>
<value>Security Gateway/Management</value>
<value>Firewall</value>
<value>FG</value>
</field>
</filter>
</export>

tail -f log/log_indexer.elg (ran while installing a policy)

 

Click to Expand
[5 Mar 9:46:27] Read Log Format field name:['product']
[5 Mar 9:46:27] Read Log Format field name:['objectname']
[5 Mar 9:46:27] Read Log Format field name:['objecttype']
[5 Mar 9:46:27] Read Log Format field name:['objecttable']
[5 Mar 9:46:27] Read Log Format field name:['operation']
[5 Mar 9:46:27] Read Log Format field name:['uid']
[5 Mar 9:46:27] Read Log Format field name:['administrator']
[5 Mar 9:46:27] Read Log Format field name:['machine']
[5 Mar 9:46:27] Read Log Format field name:['fieldschanges']
[5 Mar 9:46:27] Read Log Format field name:['session_id']
[5 Mar 9:46:27] Read Log Format field name:['subject']
[5 Mar 9:46:27] Read Log Format field name:['audit_status']
[5 Mar 9:46:27] Read Log Format field name:['additional_info']
[5 Mar 9:46:27] Read Log Format field name:['operation_number']
[5 Mar 9:46:27] Read Log Format field name:['customer_name']
[5 Mar 9:46:27] Read Log Format field name:['cma_name']
[5 Mar 9:46:27] Read Log Format field name:['mds_name']
[5 Mar 9:46:27] Read Log Format field name:['client_ip']
[5 Mar 9:46:27] Read Log Format field name:['admin_level']
[5 Mar 9:46:27] markFieldIfItShouldBeAddToLogHeaderFormat: Mark as Header on position: 2 field:time
[5 Mar 9:46:27] LogFormatExtractor::prepareFieldGetterForField added this ILogField :product to the Marked Blob Format
[5 Mar 9:46:27] LogsFormater::Process Log Skipped

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

Have you opened a TAC case by chance?

0 Kudos
Daniele80
Explorer

Not yet,  but I will if I can't get any help on the forums 😊

0 Kudos
Roshan_Sinha
Explorer

i have also same problem. Hav you got any solution so far on the same.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events