Hello Check Mates ...
since a couple of days i´am struggeling with the Log Exporter from two MGMT Servers to Microsoft CASB.
it has worked for many weeks, but suddenly it stopped out of a sudden. we made no updates on the MGMT or whatever ...
the configuration seems to be correct to me ...
also the TLS encryption works correctly as far i can interpret the logs correctly.
the logs in CEF format are sent to an onPrem log collector, this guy accepts all logs and forwards them to the Microsoft world ...
there i see this error messages
i applied: sk165999 and set the log to milliseconds as well .... because this was the only reasonable information i could find ...
i found no way to see the raw data on the Microsoft side ...
iam sorry i cannot post the whole raw log from the onPrem log collector on here, because it contains many confidential things ...
the raw logs look like:
"May 30 11:16:06 X.X.X.X CEF: 0|Check Point|VPN-1 & FireWall-1|Check Point|Log|domain-udp|Unknown|act=Accept deviceDirection=1 rt=2023-05-30 11:12:08 spt=45462 dpt=53 cs2Label=Rule Name cs2=[U1] MGMT Time Update layer_name=XXXX-POLICY Network layer_uuid=90c0733f-0d77-403b-b604-52b6cdb8a4e0"
so what is wrong here?
perhaps something on the Microsoft side is not correct, could be, but i have no hint so far.
question, should the time in EPOCH (time:"1685446429";) or in UTC ("rt=2023-05-30 11:12:08")
also the origin of the log is shown as IP (X.X.X.X) ... a different customer with working CP Log Export show the correct hostname, not an IP, but there the format is SYSLOG.
who has an idea what can be the issue here?
Best Regards