Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AngeloP
Participant

CheckPoint Log Exporter - Filtering based on Logid Value

Hello,

 

I would like to ask if it is possible to filter logs sent by CheckPoint to SIEM based on the logid field value, basically I would like for CheckPoint not to send all logs where the LogID value = 9.

 

Example log i don't want to send to SIEM:

 

<134>1 2022-03-08T11:09:58Z [xxx] CheckPoint 111111 - [flags:280832; ifdir:inbound; logid:9; loguid:{0xbcf642df,0x5cdb972,0xf00fb534,0x8b61447e}; origin:1.1.1.1; originsicname:CN=fw,O=sms; sequencenum:3629; time:1646737798; version:5; __policy_id_tag:product=VPN-1 & FireWall-1[db_tag={};mgmt=sms;date=1646677192;policy_name=policy\]; expire_time:1646737798; product:VPN-1 & FireWall-1; sgm_id:2_1; tcp_state:SYN sent]

 

Example configuration done in the FilterConfiguration.xml file that does not work (i also tried log_id) Checkpoint stops sending events to SIEM after the implementation of this change in the xml configuration file:

<filters>
<filterGroup operator="and">
<field name="action" operator="and">
</field>
<field name="origin" operator="and">
</field>
<field name="product" operator="and">
</field>
<field name="logid" operator="and">
<value operation="eq">9</value>
</field>
</filterGroup>
</filters>

 

 

Thank you for any help in resolving the issue

0 Kudos
2 Replies
AngeloP
Participant

Should i post this under a different category? I could really use some help, did someone manage to filter these access logs out? There's just too many events for the SIEM to intake with relatively low value.

I've seen posts where it was said that it is possible to filter out all events where product=VPN-1 & FireWall-1, but i would like to filter out only those with logid=9

0 Kudos
PhoneBoy
Admin
Admin

If you need immediate help, I recommend a TAC case.
That said, I don't believe that is a field, thus not something you can filter on.