This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AngeloP
Participant
‎2022-03-09 02:47 AM

CheckPoint Log Exporter - Filtering based on Logid Value

Hello,

 

I would like to ask if it is possible to filter logs sent by CheckPoint to SIEM based on the logid field value, basically I would like for CheckPoint not to send all logs where the LogID value = 9.

 

Example log i don't want to send to SIEM:

 

<134>1 2022-03-08T11:09:58Z [xxx] CheckPoint 111111 - [flags:280832; ifdir:inbound; logid:9; loguid:{0xbcf642df,0x5cdb972,0xf00fb534,0x8b61447e}; origin:1.1.1.1; originsicname:CN=fw,O=sms; sequencenum:3629; time:1646737798; version:5; __policy_id_tag:product=VPN-1 & FireWall-1[db_tag={};mgmt=sms;date=1646677192;policy_name=policy\]; expire_time:1646737798; product:VPN-1 & FireWall-1; sgm_id:2_1; tcp_state:SYN sent]

 

Example configuration done in the FilterConfiguration.xml file that does not work (i also tried log_id) Checkpoint stops sending events to SIEM after the implementation of this change in the xml configuration file:

<filters>
<filterGroup operator="and">
<field name="action" operator="and">
</field>
<field name="origin" operator="and">
</field>
<field name="product" operator="and">
</field>
<field name="logid" operator="and">
<value operation="eq">9</value>
</field>
</filterGroup>
</filters>

 

 

Thank you for any help in resolving the issue

0 Kudos
2 Replies
AngeloP
Participant
‎2022-03-14 05:10 AM

Should i post this under a different category? I could really use some help, did someone manage to filter these access logs out? There's just too many events for the SIEM to intake with relatively low value.

I've seen posts where it was said that it is possible to filter out all events where product=VPN-1 & FireWall-1, but i would like to filter out only those with logid=9

0 Kudos
PhoneBoy
Admin
Admin
‎2022-03-14 01:33 PM
In response to AngeloP

If you need immediate help, I recommend a TAC case.
That said, I don't believe that is a field, thus not something you can filter on.