This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
80.40 log exporter not seding audit logs to remote syslog
Hi!
Since the migration to the 80.40 version, the log exporter stopped sending audit logs, traffic logs work but we aren't able to get the audit to our remote Syslog.
?xml version="1.0" encoding="utf-8"?> <export id="targetObjectUID"><!--object uuid!--> <version>6</version> <!-- Version of this file--> <is_enabled>true</is_enabled><!--Is the process allowed to run, and start on cpstart--> <!-- Destination section defines the properties of the export target --> <destination type="syslog"> <!-- Target output type --> <ip>192.168.254.239</ip><!--the ip of the syslog server--> <port>6200</port><!--the port on which the syslog is listening to--> <protocol>tcp</protocol><!--udp/tcp--> <!--the configuration of tls--> <transport> <security>clear</security><!--clear/tls--> <!-- the following section is relevant only if <security> is tls --> <pem_ca_file></pem_ca_file> <p12_certificate_file></p12_certificate_file> <client_certificate_challenge_phrase></client_certificate_challenge_phrase> </transport> </destination> <!-- Filter Configuration --> <dynamicFilter>conf/FilterConfiguration.xml</dynamicFilter> <!-- Source section defines the properties of the input stream that will be exported --> <source> <log_files></log_files><!-- on-line[default] | read logs from [number] days back (recommended) | specific file name --> <log_types>audit</log_types><!--all[default]|log|audit/--> <folder></folder><!--$FWDIR/log[default]|specific path--> <read_mode>raw</read_mode><!--raw[default]|semi-unified/--> </source> <export_log_link>false</export_log_link> <!-- True | False /--> <export_attachment_link>false</export_attachment_link> <!-- True | False /--> <export_link_ip></export_link_ip> <!-- empty [defaut] | external IP /--> <export_attachment_ids>false</export_attachment_ids> <!-- Format section determines the form (headers and mappings) of the exported logs --> <format type="syslog"> <!--syslog | cef | leef | generic | splunk | this parameter may differ from the type of destination, for example, destination type = files/format type = CEF --> <resolver> <mappingConfiguration></mappingConfiguration><!--if empty the fields are sent as is without renaming--> <exportAllFields>true</exportAllFields> <!--in case exportAllFields=true - exported element in fieldsMapping.xml is ignored and fields not from fieldsMapping.xml are exported as notMappedField field--> </resolver> <!-- Format header configuration (actual to CEF see ./conf directory) --> <formatHeaderFile></formatHeaderFile> </format> <!-- The following section is for future use of log filtering, please do not modify these values --> <filter filter_out_by_connection="false"> <field name="product"> <value>VPN-1 & FireWall-1</value> <value>HTTPS Inspection</value> <value>VPN-1</value> <value>Security Gateway/Management</value> <value>Firewall</value> <value>FG</value> </field> <field name="fw_subproduct"> <value>VPN-1 & FireWall-1</value> <value>HTTPS Inspection</value> <value>VPN-1</value> <value>Security Gateway/Management</value> <value>Firewall</value> <value>FG</value> </field> </filter> </export>
tail -f log/log_indexer.elg (ran while installing a policy)
[5 Mar 9:46:27] Read Log Format field name:['product'] [5 Mar 9:46:27] Read Log Format field name:['objectname'] [5 Mar 9:46:27] Read Log Format field name:['objecttype'] [5 Mar 9:46:27] Read Log Format field name:['objecttable'] [5 Mar 9:46:27] Read Log Format field name:['operation'] [5 Mar 9:46:27] Read Log Format field name:['uid'] [5 Mar 9:46:27] Read Log Format field name:['administrator'] [5 Mar 9:46:27] Read Log Format field name:['machine'] [5 Mar 9:46:27] Read Log Format field name:['fieldschanges'] [5 Mar 9:46:27] Read Log Format field name:['session_id'] [5 Mar 9:46:27] Read Log Format field name:['subject'] [5 Mar 9:46:27] Read Log Format field name:['audit_status'] [5 Mar 9:46:27] Read Log Format field name:['additional_info'] [5 Mar 9:46:27] Read Log Format field name:['operation_number'] [5 Mar 9:46:27] Read Log Format field name:['customer_name'] [5 Mar 9:46:27] Read Log Format field name:['cma_name'] [5 Mar 9:46:27] Read Log Format field name:['mds_name'] [5 Mar 9:46:27] Read Log Format field name:['client_ip'] [5 Mar 9:46:27] Read Log Format field name:['admin_level'] [5 Mar 9:46:27] markFieldIfItShouldBeAddToLogHeaderFormat: Mark as Header on position: 2 field:time [5 Mar 9:46:27] LogFormatExtractor::prepareFieldGetterForField added this ILogField :product to the Marked Blob Format [5 Mar 9:46:27] LogsFormater::Process Log Skipped