- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: Forwarding specific logs to external syslog se...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forwarding specific logs to external syslog server
Hi CheckMates!
We have a customer currently running R81.10 standalone deployment. They have several customers of their own, using their firewall.
Now my question is, how do we go about sending logs from specific rules to the relevant customers?
Things we have thought about as a solution:
User alert running a script forwarding the logs to their syslog server?
LEA Connector with filtering?
Log exporter with filtering?
(MDM is not an option)
Best Regards.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't seem to be able to filter by rule_uid, only by either action, blade or origin. Looking through the documentation in sk122323 it doesn't mention the rule_uid option. Perhaps I'm missing something?
Log Exporter would solve the case though, if i can get it set up with rule_uid filtering.
UPDATE:
In $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/conf/FilterConfiguration.xml
<filters> <filterGroup operator="and"> <field name="action" operator="and"> </field> <field name="origin" operator="and"> </field> <field name="product" operator="and"> </field> <field name="rule_uid" operator="and"> <value operation="eq">[rule_uid]</value> </field> </filterGroup> </filters>
This seems to work in my case. Appreciate the assistance.
@CPRQ In your case, i think you can add "neq" (not equal) as the value operation, in order to negate one rule, and export the rest.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Log Exporter with filtering would probably be the best way to do this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do Log Exporter support filtering on a specific rule? e.g do not send log of the specific rule to SIEM.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to filter based on rule_uid.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't seem to be able to filter by rule_uid, only by either action, blade or origin. Looking through the documentation in sk122323 it doesn't mention the rule_uid option. Perhaps I'm missing something?
Log Exporter would solve the case though, if i can get it set up with rule_uid filtering.
UPDATE:
In $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/conf/FilterConfiguration.xml
<filters> <filterGroup operator="and"> <field name="action" operator="and"> </field> <field name="origin" operator="and"> </field> <field name="product" operator="and"> </field> <field name="rule_uid" operator="and"> <value operation="eq">[rule_uid]</value> </field> </filterGroup> </filters>
This seems to work in my case. Appreciate the assistance.
@CPRQ In your case, i think you can add "neq" (not equal) as the value operation, in order to negate one rule, and export the rest.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The documentation suggests you should be able to do that.
In which case, it's probably worth a TAC case.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about choose not to log on the specific rule? Since it's wont log the event, there's nothing to be forwarded to SIEM.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We want to log on CP log/mgmt server to see the log for troubleshooting purpose; but don't want to send that log to SIEM.