This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AngeloP
Participant
‎2022-03-09 02:47 AM

CheckPoint Log Exporter - Filtering based on Logid Value

Hello,

 

I would like to ask if it is possible to filter logs sent by CheckPoint to SIEM based on the logid field value, basically I would like for CheckPoint not to send all logs where the LogID value = 9.

 

Example log i don't want to send to SIEM:

 

<134>1 2022-03-08T11:09:58Z [xxx] CheckPoint 111111 - [flags:280832; ifdir:inbound; logid:9; loguid:{0xbcf642df,0x5cdb972,0xf00fb534,0x8b61447e}; origin:1.1.1.1; originsicname:CN=fw,O=sms; sequencenum:3629; time:1646737798; version:5; __policy_id_tag:product=VPN-1 & FireWall-1[db_tag={};mgmt=sms;date=1646677192;policy_name=policy\]; expire_time:1646737798; product:VPN-1 & FireWall-1; sgm_id:2_1; tcp_state:SYN sent]

 

Example configuration done in the FilterConfiguration.xml file that does not work (i also tried log_id) Checkpoint stops sending events to SIEM after the implementation of this change in the xml configuration file:

<filters>
<filterGroup operator="and">
<field name="action" operator="and">
</field>
<field name="origin" operator="and">
</field>
<field name="product" operator="and">
</field>
<field name="logid" operator="and">
<value operation="eq">9</value>
</field>
</filterGroup>
</filters>

 

 

Thank you for any help in resolving the issue

0 Kudos
2 Replies
AngeloP
Participant
‎2022-03-14 05:10 AM

Should i post this under a different category? I could really use some help, did someone manage to filter these access logs out? There's just too many events for the SIEM to intake with relatively low value.

I've seen posts where it was said that it is possible to filter out all events where product=VPN-1 & FireWall-1, but i would like to filter out only those with logid=9

0 Kudos
PhoneBoy
Admin
Admin
‎2022-03-14 01:33 PM
In response to AngeloP

If you need immediate help, I recommend a TAC case.
That said, I don't believe that is a field, thus not something you can filter on.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events