Hello Experts,
i have a requirement to export log from checkpoint log server and filter the NAT log before sending to syslog server.
i have configured the log exporter as
name: NATsysLOG domain-server: : XYZZ1
enabled: true
target-server: 10.10.10.10
target-port: 514
protocol: tcp
format: generic
read-mode: raw
export-attachment-ids: false
export-link: false
export-attachment-link: false
time-in-milli: false
export-log-position: Not configured, using default
reconnect-interval: Not configured, using default
and then i put a NAT filter in
$EXPORTERDIR/targets
targetConfiguration.xml
<?xml version="1.0" encoding="utf-8"?>
<export id="targetObjectUID"><!--object uuid!-->
<version>9</version> <!-- Version of this file-->
<is_enabled>true</is_enabled><!--Is the process allowed to run, and start on cpstart-->
<!-- Destination section defines the properties of the export target -->
<destination type="syslog"> <!-- Target output type -->
<ip>10.10.10.10</ip><!--the ip of the syslog server-->
<port>514</port><!--the port on which the syslog is listening to-->
<protocol>tcp</protocol><!--udp/tcp-->
<!--the configuration of tls-->
<transport>
<security></security><!--clear/tls-->
<!-- the following section is relevant only if <security> is tls -->
<pem_ca_file></pem_ca_file>
<p12_certificate_file></p12_certificate_file>
<client_certificate_challenge_phrase></client_certificate_challenge_phrase>
</transport>
<reconnect_interval></reconnect_interval><!-- Shedule reconnection to the destination server (empty to disable [default] | number of minute s) -->
</destination>
<!-- Enrichment configuration, exporting domain server name, orig_log_server uuid and orig_log_server ip -->
<data_enrichment>
<export_domain>false</export_domain>
<export_orig_log_server>false</export_orig_log_server>
</data_enrichment>
<!-- Filter Configuration -->
<dynamicFilter>conf/FilterConfiguration.xml</dynamicFilter>
<!-- Source section defines the properties of the input stream that will be exported -->
<source>
<log_files>1</log_files><!-- on-line[default] | read logs from [number] days back (recommended) | specific file name -->
<log_types></log_types><!--all[default]|log|audit/-->
<folder></folder><!--$FWDIR/log[default]|specific path-->
<read_mode>raw</read_mode><!--raw|semi-unified[default]/-->
</source>
<export_log_position>false</export_log_position> <!-- True | False /-->
<export_log_link>false</export_log_link> <!-- True | False /-->
<export_attachment_link>false</export_attachment_link> <!-- True | False /-->
<export_link_ip></export_link_ip> <!-- empty [defaut] | external IP /-->
<export_attachment_ids>false</export_attachment_ids> <!-- True | False /-->
<!-- Format section determines the form (headers and mappings) of the exported logs -->
<format type="generic"> <!--syslog | cef | rsa | leef | generic | splunk | this parameter may differ from the type of destination, for exa mple, destination type = files/format type = CEF -->
<resolver>
<mappingConfiguration>GenericFieldsMapping.xml</mappingConfiguration><!--if empty the fields are sent as is without renaming-->
<exportAllFields>false</exportAllFields> <!--in case exportAllFields=true - exported element in fieldsMapping.xml is ignored and fields not from fieldsMapping.xml are exported as notMappedField field-->
</resolver>
<!-- Format header configuration (actual to CEF see ./conf directory) -->
<formatHeaderFile></formatHeaderFile>
</format>
<!-- Time In Milli Seconds -->
<time_in_milli>false</time_in_milli>
<!-- The following section is for future use of log filtering, please do not modify these values -->
<filter filter_out_by_connection="false">
<field name="product">
<value>VPN-1 & FireWall-1</value>
<value>HTTPS Inspection</value>
<value>VPN-1</value>
<value>Security Gateway/Management</value>
<value>Firewall</value>
<value>FG</value>
</field>
<field name="fw_subproduct">
<value>VPN-1 & FireWall-1</value>
<value>HTTPS Inspection</value>
<value>VPN-1</value>
<value>Security Gateway/Management</value>
<value>Firewall</value>
<value>FG</value>
</field>
</filter>
</export>
========
and then in
GenericFieldsMapping.xml
below is the config
<?xml version="1.0" encoding="utf-8"?>
<fields>
<!-- Filter out fields -->
<field><origName>subscriber</origName><exported>true</exported></field>
<field><origName>xlatesrc</origName><exported>true</exported></field>
<field><origName>xlatesint</origName><exported>true</exported></field>
<field><origName>xlatedst</origName><exported>true</exported></field>
<field><origName>xlatedint</origName><exported>true</exported></field>
<field><origName>hide_ip</origName><exported>ture</exported></field>
<field><origName>nat_rulenum</origName><exported>true</exported></field>
<field><origName>end_time</origName><exported>ture</exported></field>
<field><origName>__policy_id_tag</origName><exported>true</exported></field>
<field><origName>milliseconds</origName><exported>true</exported></field>
<!-- End of filter out -->
</fields>
the export is working but i do not see all exported field
i can only see below
Aug 5 12:11:50 10.10.10.20 time="" xlatesrc="1.1.1.1" xlatedst="0.0.0.0" nat_rulenum="787" __policy_id_tag="product=VPN-1 & FireWall-1[db_tag={6EAEC28E-0EBC-FB49-A16A-023A1F73AF95};mgmt=MGMT-SERVER;date=1659604047;policy_name=Test]"
why i do not see
xlatesint
xlatedint
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Security Gateway - NAT Fields |
allocated_ports | Allocated Ports | int | Amount of allocated NAT ports | R80.40 |
capacity | Capacity | int | Capacity of the NAT ports | R80.40 |
ports_usage | Ports Usage | int | Percentage of allocated NAT ports | R80.40 |
nat_exhausted_pool | Nat Exhausted Pool | string | 4-tuple of an exhausted NAT pool | R80.40 R80.10 - R80.30 Jumbo Hotfixes |
xlatesrc | Xlate (NAT) Source IP | ipaddr | Source IPv4 address after applying NAT | |
xlatedst | Xlate (NAT) Destination IP | ipaddr | Destination IPv4 address after applying NAT | |
xlatesint | Xlate (NAT) Source Port | int | Source port after applying Hide NAT on the source IP address | |
xlatedint | Xlate (NAT) Destination Port | int | Destination port after applying NAT | |
nat_rulenum | NAT Rule Number | int | NAT rulebase first matched rule | |
nat_addtnl_rulenum | NAT Additional Rule Number | int | When matching 2 automatic rules, the second rule match is shown. Otherwise, this field has the value 0. | |
message_info | Message Information | string | Used for information messages, for example: NAT connection has ended | |
nat46 | N/A | string | NAT46 status In most cases "enabled" | |
end_time | N/A | timestmp | TCP connection end time | |
tcp_end_reason | N/A | string | Reason for TCP connection closure | |
nat_rulenum | NAT Rule Number | int | NAT rulebase first matched rule | |
cgnet | N/A | string | Describes the NAT allocation for specific subscriber | |
subscriber | N/A | ipaddr | Source IP address before CGNAT | |
hide_ip | N/A | ipaddr | Source IP address to be used after CGNAT | |
int_start | N/A | int | Subscriber start integer to be used for NAT | |
int_end | N/A | int | Subscriber end integer to be used for NAT | |
Security Gateway - SecureXL Fields |
drop_reason | Drop Reason | string | Aggregated logs of dropped packets | |
packet_amount | N/A | int | Number of packets dropped | |
packets | Packets | string | Connection tuple: Source IP address Source Port Destination IP address Destination Port Protocol Number | |
monitor_reason | N/A | string | Aggregated logs of monitored packets | |
message_info | Message Information | string | Information on multicast packet dropped | |
drops_amount | N/A | int | Amount of multicast packets dropped | |
securexl_message | N/A | string | Two options for a SecureXL message: 1. Missed accounting records after heavy load on the logging system 2. FireWall log message regarding a packet drop | |
conns_amount | N/A | int | Number of connections in the aggregated log | |
aggregation_info | N/A | string | List of aggregated source connections |