Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Paul_Starr
Participant

Admin only logs in Log Exporter

Is it possible to set Log Exporter to only syslog admin audit logs and not traffic logs. I have seen within file:

/opt/CPrt-R80/log_exporter/targets/logrhythm/conf/log_indexer_settings.conf  the setting :log_files (all)

(
        :connections (
#               :domain (
#                                       :management (
#                                                       :name (127.0.0.1)
#                                                       :log_files (all)
#                                                       :is_local (true)
#                                                       :read_mode (CPMI)
#                                       )
#                                       :log_servers (
#                                                       : (
#                                                               :name (<management IP/Log Server IP>)
#                                                               :sic_name_client  (<DN of the OPSEC Application Object>)
#                                                               :sic_name_server (<DN of the Mangement/Log Server>)
#                                                               :certificate_file (<Certificate File Name>)
#                                                               :read_mode (LEA)
#                                                               :log_files (all)

However the documentation is limited, and I can not be sure if this can be changed and to what value to send on admin audit logs.

1 Reply
Paul_Starr
Participant

I was able to get this working by editting targetConfiguration.xml:

Add a exporter target:

cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server> target-port <target-port> protocol <(udp|tcp)> format <(syslog)|(cef)>

            e.g: cp_log_export add name splunk target-server XXX.XXX.XXX.XXX target-port 514 protocol udp format cef

edit /opt/CPsuite-R77/fw1/log_exporter/targets/splunk/targeConfiguration.xml
   edit line:

                  <log_types></log_types><!--all[default]|log|audit/-->
to:
                  <log_types>audit</log_types><!--all[default]|log|audit/-->

Run the two commands:
cp_log_export reexport name splunk
cp_log_export start name splunk

All audit type logs will be sent.

[Expert@XXXXXXXXXXX:0]# cpwd_admin list
APP        PID    STAT  #START  START_TIME             MON  COMMAND
CPVIEWD    3071   E     1       [21:38:58] 27/4/2018   N    cpviewd
CPD        3074   E     1       [21:38:58] 27/4/2018   Y    cpd
FWD        3317   E     1       [21:39:13] 27/4/2018   N    fwd -n
FWM        3319   E     1       [21:39:13] 27/4/2018   N    fwm
STPR       3336   E     1       [21:39:14] 27/4/2018   N    status_proxy
SVR        3511   E     1       [21:39:17] 27/4/2018   N    SVRServer
CPSEAD     3575   E     1       [21:39:18] 27/4/2018   N    cpsead
CPWMD      3603   E     1       [21:39:19] 27/4/2018   N    cpwmd -D -app SmartPortal
CPHTTPD    3612   E     1       [21:39:19] 27/4/2018   N    cp_http_server -f '/opt/CPportal-R77/portal/conf/cp_httpd_admin.conf'
CP3DLOGD   3643   E     1       [21:39:19] 27/4/2018   N    cp3dlogd
SICTUNNEL  3655   E     1       [21:39:19] 27/4/2018   N    /opt/CPshrd-R77/bin/cptnl -c "/opt/CPuepm-R77/engine/conf/cptnl_srv.conf"
EPM        0      T     1       [21:39:19] 27/4/2018   N    startEngine
DASERVICE  3838   E     1       [21:39:26] 27/4/2018   N    DAService_script
CPSM       4316   E     1       [21:39:56] 27/4/2018   N    cpstat_monitor
LPD        4659   E     1       [21:40:29] 27/4/2018   N    lpd
EXPORTER.splunk 8437   E     1       [21:50:17] 27/4/2018   N    /opt/CPsuite-R77/fw1/log_exporter/targets/splunk/log_exporter -export /opt/CPsuite-R77/fw1/log_exporter/targets/splunk/targetConfiguration.xml

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events