Admin only logs in Log Exporter

Paul_Starr · ‎2018-04-26

Is it possible to set Log Exporter to only syslog admin audit logs and not traffic logs. I have seen within file:

/opt/CPrt-R80/log_exporter/targets/logrhythm/conf/log_indexer_settings.conf the setting :log_files (all)

(
        :connections (
#               :domain (
#                                       :management (
#                                                       :name (127.0.0.1)
#                                                       :log_files (all)
#                                                       :is_local (true)
#                                                       :read_mode (CPMI)
#                                       )
#                                       :log_servers (
#                                                       : (
#                                                               :name (<management IP/Log Server IP>)
#                                                               :sic_name_client (<DN of the OPSEC Application Object>)
#                                                               :sic_name_server (<DN of the Mangement/Log Server>)
#                                                               :certificate_file (<Certificate File Name>)
#                                                               :read_mode (LEA)
#                                                               :log_files (all)

However the documentation is limited, and I can not be sure if this can be changed and to what value to send on admin audit logs.

Paul_Starr · ‎2018-04-27

I was able to get this working by editting targetConfiguration.xml:

Add a exporter target:

cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server> target-port <target-port> protocol <(udp|tcp)> format <(syslog)|(cef)>

e.g: cp_log_export add name splunk target-server XXX.XXX.XXX.XXX target-port 514 protocol udp format cef

edit /opt/CPsuite-R77/fw1/log_exporter/targets/splunk/targeConfiguration.xml
edit line:

<log_types></log_types>
to:
<log_types>audit</log_types>

Run the two commands:
cp_log_export reexport name splunk
cp_log_export start name splunk

All audit type logs will be sent.

[Expert@XXXXXXXXXXX:0]# cpwd_admin list
APP        PID    STAT #START START_TIME             MON COMMAND
CPVIEWD    3071   E     1       [21:38:58] 27/4/2018   N    cpviewd
CPD        3074   E     1       [21:38:58] 27/4/2018   Y    cpd
FWD        3317   E     1       [21:39:13] 27/4/2018   N    fwd -n
FWM        3319   E     1       [21:39:13] 27/4/2018   N    fwm
STPR       3336   E     1       [21:39:14] 27/4/2018   N    status_proxy
SVR        3511   E     1       [21:39:17] 27/4/2018   N    SVRServer
CPSEAD     3575   E     1       [21:39:18] 27/4/2018   N    cpsead
CPWMD      3603   E     1       [21:39:19] 27/4/2018   N    cpwmd -D -app SmartPortal
CPHTTPD    3612   E     1       [21:39:19] 27/4/2018   N    cp_http_server -f '/opt/CPportal-R77/portal/conf/cp_httpd_admin.conf'
CP3DLOGD   3643   E     1       [21:39:19] 27/4/2018   N    cp3dlogd
SICTUNNEL 3655   E     1       [21:39:19] 27/4/2018   N    /opt/CPshrd-R77/bin/cptnl -c "/opt/CPuepm-R77/engine/conf/cptnl_srv.conf"
EPM        0      T     1       [21:39:19] 27/4/2018   N    startEngine
DASERVICE 3838   E     1       [21:39:26] 27/4/2018   N    DAService_script
CPSM       4316   E     1       [21:39:56] 27/4/2018   N    cpstat_monitor
LPD        4659   E     1       [21:40:29] 27/4/2018   N    lpd
EXPORTER.splunk 8437   E     1       [21:50:17] 27/4/2018   N    /opt/CPsuite-R77/fw1/log_exporter/targets/splunk/log_exporter -export /opt/CPsuite-R77/fw1/log_exporter/targets/splunk/targetConfiguration.xml

Are you a member of CheckMates?

Admin only logs in Log Exporter