This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Brianna_Hill
Explorer
‎2022-08-11 02:52 PM

Change format of table export for Log Exporter

When using Log Exporter to export logs, is it possible unflatten/unjoin a table? We recently had to transition off of the OPSEC LEA format and are now on the Log Exporter solution and would like to keep using the match_table fields without them being joined with other tables - the joins are resulting in duplicate values.

In fieldsMapping.xml it looks like you can change how match_table is exported, and the tableFormat caught my eye, but I'm not able to find any documentation on this. The comment mentions to see the log_unification_scheme.C file for how the table is changed during the join, but I don't understand what's going on in that file.

I've attached a screenshot of the portion of the fieldsMapping.xml file I'm referencing, and if anyone knows if it's possible to change how the match_table is exported, I'd appreciate the insight! 🙂

 

fieldsMapping.xmlfieldsMapping.xml

Labels
0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2022-08-16 08:29 AM

What you appear to be describing is how you think you'd solve a particular issue.
Meanwhile, I don't understand what your overall goal is here.
Can you elaborate?

Also, please specify the version/JHF you're using in case it's relevant.

0 Kudos
Brianna_Hill
Explorer
‎2022-08-17 01:04 PM
In response to PhoneBoy

One thing we do is try to see what rules are being hit the most or taking up the majority of the bandwidth of our Gateways. Originally with the OPSEC LEA, we were able to search this in the exported logs using the "match_table_rule_name" field since it gave us the results on the matches, whether they were rules inside inline layers or not. They would be formatted like this:

  • match_table_rule_name: "Allow all DNS from internal DNS servers"
  • match_table_rule_name: "Inline layer for production anonymization blocking(+)Allow from production Windows servers to patching endpoints"

Now using Log Exporter, these values are split to make a multi-valued field so that when we search by "rule_name" we get two values. The above values now appear like this:

  • rule_name:
    • "Allow all DNS from internal DNS servers"
    • "Allow all DNS from internal DNS servers"
  • rule_name:
    • "Inline layer for production anonymization blocking"
    • "Allow from production Windows servers to patching endpoints"

This is making our searching more complicated and we're not entirely sure that we're getting all of the results back that we want to without unintentionally including too much/too little information.

The same came be said for other fields and values from the match_table.

We're currently on R80.40 Take 156.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-08-23 12:15 PM
In response to Brianna_Hill

It appears the default from the configuration for the values is a space, not a carriage return (specifically field_value_separatator).
Not sure how it's adding carriage returns.
In any case, the options we support modifying are here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

What precise format are you exporting the logs (Generic, CEF, etc)?
To what are you exporting them exactly?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events