Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nathaniel_Horsc
Explorer

CEF field values of Log exporter

Im using Log exporter to forward CEF formated logs to third party SIEM tool where i want to know the default CEF field values for mapping to SIEM.

5 Replies
PhoneBoy
Admin
Admin

Not sure there are any default values as that will depend on the logs being sent.

Can you elaborate on your question a bit?

What SIEM are you trying to integrate with?

0 Kudos
DeletedUser
Not applicable

If you don't mind reading XML, check out $EXPORTERDIR/conf/CefFieldsMapping.xml. Attaching for your convenience and examples below. This is from R80.20 GA take 101.

......
<field>
<origName>action</origName>
<dstName>act</dstName>
</field>
......
<field>
<origName>severity</origName>
<dstName>cp_severity</dstName>
<callback>
<name>replace_value</name>
<args>
<arg key="default" value="Unknown"/>
<arg key="0" value="Low"/>
<arg key="1" value="Low"/>
<arg key="2" value="Medium"/>
<arg key="3" value="High"/>
<arg key="4" value="Very-High"/>
</args>
</callback>
</field>
DeletedUser
Not applicable

Also see this discussion Log Exporter CEF Field Mappings

Nathaniel_Horsc
Explorer

Thanks Bob, It helped. Do we have similar field mapping for Syslog format?

DeletedUser
Not applicable

Sorry for the delay in answering. The syslog format essentially doesn't map to another format so, aside from the header, you'll get the Check Point field names unmapped.  

# pwd
/opt/CPrt-R80.20/log_exporter/targets/MySyslog

# grep mapping *
.....
targetConfiguration.xml: <!-- Format section determines the form (headers and mappings) of the exported logs -->
targetConfiguration.xml: <mappingConfiguration></mappingConfiguration><!--if empty the fields are sent as is without renaming-->

On a related note there is a project to better define the Check Point field names and to normalize them across products. Bit hidden right now, but you can see in R80.20 the 100+ Threat Prevention field definitions for ALL of SandBlast products (mobile, endpoint, gateway) at the bottom of sk134634: SmartView Cyber Attack View in the Field Documentation section. In the future am sure we'll do a better job of documenting these so they're not buried in an SK like this. For now check out Threat Prevention Log Field Documentation

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events