This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Raymond134547
Explorer
2 weeks ago

Exported Logs Missing Fields

Hello,

I've configured Log Exporter on my Mgmt Server with no customizations other than the server I'm sending to and format:

This is Check Point Security Management Server R81.20 - Build 024
This is Check Point's software version R81.20 - Build 054
[SecurePlatform]
HOTFIX_GAIA_API_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 118

We are sending CEF over TCP.

Our rulebase uses Accounting for quite a few rules, and viewing logs in SmartConsole shows Client Inbound Bytes, Client Outbound Bytes, Server Inbound Bytes, and Server Outbound Bytes quite clearly.

However, when I capture what is being exported from the Mgmt Server, I am missing the Client Inbound Bytes and Client Outbound Bytes.  I'm still sending:

client_inbound_packets

client_outbound_packets

server_inbound_bytes

server_inbound_packets

server_outbound_bytes

server_outbound_packets

But where are my client inbound / outbound bytes in the export? I've done some lengthy captures, and that data just isn't being exported. Can anyone think of what I could be missing?

Thanks,

Ray

0 Kudos
8 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
2 weeks ago

So no filters are applied, which read mode is used semi-unified or raw etc?

CCSM R77/R80/ELITE
0 Kudos
Raymond134547
Explorer
Monday
In response to Chris_Atkinson

Hello Chris (and rest of the group).

I'm unsure what your question means; but I'm assuming you are referencing how I'm reading the logs at the receiving end.

What I'm actually doing is packet capturing at the Management Server end, reading what is being sent out, to avoid any format or filtering issues at the SIEM end, I'm using 2 different ones.

Here is how I am capturing what the Mgmt server is sending out; but perhaps I'm doing this in a clumsy or inefficient way, although it does seem to work:

tcpdump -i eth0 -A -s 0 host x.x.x.x | grep --line-buffered "CEF:" | sed 's/.*CEF:/CEF:/'

0 Kudos
Raymond134547
Explorer
Tuesday
In response to Raymond134547

Here is a mildly sanitized line of logs to highlight my question. If you look, we see client inbound and outbound packets; but not bytes, like we do with server:

CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Accept|https|Unknown|act=Accept cn1Label=Elapsed Time in Seconds cn1=0 destinationTranslatedAddress=0.0.0.0 destinationTranslatedPort=0 deviceDirection=0 deviceInboundInterface=eth1 in=3029 out=7390 rt=1764799479000 shost=subnet-0c0070b6a4749279c (db-sn);vpc-06ee7f5be1032b3c6 (vpc-uat);us-east-2a;i-0565d0361f70ed21b (sqlvm-... sourceTranslatedAddress=x.x.x.x sourceTranslatedPort=20368 spt=51306 dpt=443 start=1764799479000 cs2Label=Rule Name cs2=Allow App and DB Server Access layer_name=Network layer_uuid=8a994dd3-993e-4c0c-92a1-a8630b153f4c match_id=186 parent_rule=0 rule_action=Accept rule_uid=c3e9fd76-4744-428a-a5b4-cfaf55c2c4d6 conn_direction=Outgoing contextnum=1 ifname=eth0 logid=6 loguid={0x57cdc63c,0x8df614e5,0x17c5189,0x183aa14c} origin=z.z.z.z originsicname=CN\=fwname.mydomain.com,O\=fwname..zk7npk sequencenum=16 version=5 __nsons=0 __p_dport=0 __pos=7 bytes=10419 client_inbound_packets=14 client_outbound_packets=30 context_num=1 dst=y.y.y.y dst_uo_icon=@app/cp_azure_azure dst_uo_name=Azure Public Services lastupdatetime=1764799487 nat_addtnl_rulenum=0 nat_rulenum=0 packets=44 product=VPN-1 & FireWall-1 proto=6 segment_time=1764799479 server_inbound_bytes=7390 server_inbound_packets=15 server_outbound_bytes=3029 server_outbound_interface=eth0 server_outbound_packets=2

 

client_inbound_packets=14

client_outbound_packets=30

server_inbound_bytes=7390

server_inbound_packets=15

server_outbound_bytes=3029

server_outbound_packets=2

I do see this before the client packet count: "bytes=10419" - perhaps I need to match one of these entries up with the GUI-corresponding log and perform some kind of transform; but IMO it should come out a little cleaner.

0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
2 weeks ago

Which SIEM are you using?

Kind regards, Amir Senn
the_rock
MVP Platinum
MVP Platinum
2 weeks ago

I believe @Amir_Senn actually brought up super valid point, it definitely can depend of what SIEM you ar using.

Best,
Andy
0 Kudos
Vincent_Bacher
Leader Leader
Leader
a week ago

Hey, just wondering if this is still something you're thinking about, or if you've figured it out by now?

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
the_rock
MVP Platinum
MVP Platinum
Sunday

Hey @Raymond134547 

Happy holidays! Definitely do let us know how this gets sorted out.

Cheers!

Best,
Andy
0 Kudos
aloish
Participant
Monday

I also tried to get the accounting working on a few firewall rules a few month ago.

Used splunk export format, but the issue, if I remember correctly was the read-mode {raw | semi-unified}

The documentation mentions semi-unified should be the default, but in the configuration xml file there was raw set.
Editing the xml and restart the cp_log_export, was the solution.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events