This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nkr
Participant
‎2021-10-21 04:27 AM
Jump to solution

Forwarding specific logs to external syslog server

Hi CheckMates!

 

We have a customer currently running R81.10 standalone deployment. They have several customers of their own, using their firewall.
Now my question is, how do we go about sending logs from specific rules to the relevant customers?

 

Things we have thought about as a solution:

User alert running a script forwarding the logs to their syslog server?

LEA Connector with filtering?

Log exporter with filtering?

 

(MDM is not an option)

 

Best Regards.

0 Kudos
1 Solution

Accepted Solutions
Nkr
Participant
‎2021-10-21 11:18 PM
In response to PhoneBoy
Jump to solution

I don't seem to be able to filter by rule_uid, only by either action, blade or origin. Looking through the documentation in sk122323 it doesn't mention the rule_uid option. Perhaps I'm missing something?

Log Exporter would solve the case though, if i can get it set up with rule_uid filtering.

 

UPDATE:

In $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/conf/FilterConfiguration.xml

<filters>
  <filterGroup operator="and">
    <field name="action" operator="and">
    </field>
    <field name="origin" operator="and">
    </field>
    <field name="product" operator="and">
    </field>
    <field name="rule_uid" operator="and">
      <value operation="eq">[rule_uid]</value>
    </field>
  </filterGroup>
</filters>

 This seems to work in my case. Appreciate the assistance.

@CPRQ In your case, i think you can add "neq" (not equal) as the value operation, in order to negate one rule, and export the rest.

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2021-10-21 08:15 AM
Jump to solution

Log Exporter with filtering would probably be the best way to do this.

0 Kudos
CPRQ
Collaborator
‎2021-10-21 08:58 AM
In response to PhoneBoy
Jump to solution

Do Log Exporter support filtering on a specific rule? e.g do not send log of the specific rule to SIEM.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-10-21 09:42 AM
In response to CPRQ
Jump to solution

You should be able to filter based on rule_uid.

0 Kudos
Nkr
Participant
‎2021-10-21 11:18 PM
In response to PhoneBoy
Jump to solution

I don't seem to be able to filter by rule_uid, only by either action, blade or origin. Looking through the documentation in sk122323 it doesn't mention the rule_uid option. Perhaps I'm missing something?

Log Exporter would solve the case though, if i can get it set up with rule_uid filtering.

 

UPDATE:

In $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/conf/FilterConfiguration.xml

<filters>
  <filterGroup operator="and">
    <field name="action" operator="and">
    </field>
    <field name="origin" operator="and">
    </field>
    <field name="product" operator="and">
    </field>
    <field name="rule_uid" operator="and">
      <value operation="eq">[rule_uid]</value>
    </field>
  </filterGroup>
</filters>

 This seems to work in my case. Appreciate the assistance.

@CPRQ In your case, i think you can add "neq" (not equal) as the value operation, in order to negate one rule, and export the rest.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-10-22 10:47 AM
In response to Nkr
Jump to solution

The documentation suggests you should be able to do that.
In which case, it's probably worth a TAC case.

0 Kudos
Cyber_Serge
Collaborator
‎2021-10-23 06:00 PM
In response to CPRQ
Jump to solution

How about choose not to log on the specific rule? Since it's wont log the event, there's nothing to be forwarded to SIEM.

0 Kudos
CPRQ
Collaborator
‎2021-10-25 06:16 AM
In response to Cyber_Serge
Jump to solution

We want to log on CP log/mgmt server to see the log for troubleshooting purpose; but don't want to send that log to SIEM.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events