Solved: Fields dstination ip, ports missing in raw logs se...

Sumit · ‎2021-03-13

Hi,

I am using Log Exporter (Leef) format for QRadar.

However, I cannot see complete logs, especially in IPS "Exploits" logs. I can only see the source IP, but not the destination IP, destination port, or source port in the logs in my QRadar.

Those fields are needed for the automation we have in-place which worked well with opsec/lea.

May I get the steps to get complete IPS logs. I am using version R81.

Regards,

Sumit

Sumit · ‎2021-04-23

Solved.

In case if anyone is interested, set log type as semi-unified in expert mode, as command below

cp_log_export set name <name> read-mode semi-unified

command to view log exporters:

cp_log_export show

If log exporter is created using SmartConsole UI,

1. In Objects > Servers > Log Exporter/SIEM, select the object.

2. Right click on object and select Edit.

3. In Left Pane, select Data Manipulation.

4. Check "Aggregate log updates before export".

5. Publish and Install Policy.

View solution in original post

PhoneBoy · ‎2021-03-13

Possible this thread may be helpful: https://community.checkpoint.com/t5/Management/Log-Exporter-LEEF-Field-Mappings/td-p/48905

Sumit · ‎2021-04-23