Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Brianna_Hill
Explorer

Change format of table export for Log Exporter

When using Log Exporter to export logs, is it possible unflatten/unjoin a table? We recently had to transition off of the OPSEC LEA format and are now on the Log Exporter solution and would like to keep using the match_table fields without them being joined with other tables - the joins are resulting in duplicate values.

In fieldsMapping.xml it looks like you can change how match_table is exported, and the tableFormat caught my eye, but I'm not able to find any documentation on this. The comment mentions to see the log_unification_scheme.C file for how the table is changed during the join, but I don't understand what's going on in that file.

I've attached a screenshot of the portion of the fieldsMapping.xml file I'm referencing, and if anyone knows if it's possible to change how the match_table is exported, I'd appreciate the insight! 🙂

 

fieldsMapping.xmlfieldsMapping.xml

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

What you appear to be describing is how you think you'd solve a particular issue.
Meanwhile, I don't understand what your overall goal is here.
Can you elaborate?

Also, please specify the version/JHF you're using in case it's relevant.

0 Kudos
Brianna_Hill
Explorer

One thing we do is try to see what rules are being hit the most or taking up the majority of the bandwidth of our Gateways. Originally with the OPSEC LEA, we were able to search this in the exported logs using the "match_table_rule_name" field since it gave us the results on the matches, whether they were rules inside inline layers or not. They would be formatted like this:

  • match_table_rule_name: "Allow all DNS from internal DNS servers"
  • match_table_rule_name: "Inline layer for production anonymization blocking(+)Allow from production Windows servers to patching endpoints"

Now using Log Exporter, these values are split to make a multi-valued field so that when we search by "rule_name" we get two values. The above values now appear like this:

  • rule_name:
    • "Allow all DNS from internal DNS servers"
    • "Allow all DNS from internal DNS servers"
  • rule_name:
    • "Inline layer for production anonymization blocking"
    • "Allow from production Windows servers to patching endpoints"

This is making our searching more complicated and we're not entirely sure that we're getting all of the results back that we want to without unintentionally including too much/too little information.

The same came be said for other fields and values from the match_table.

We're currently on R80.40 Take 156.

0 Kudos
PhoneBoy
Admin
Admin

It appears the default from the configuration for the values is a space, not a carriage return (specifically field_value_separatator).
Not sure how it's adding carriage returns.
In any case, the options we support modifying are here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

What precise format are you exporting the logs (Generic, CEF, etc)?
To what are you exporting them exactly?

0 Kudos