This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ohhdiddlediddle
Explorer
‎2021-01-27 03:38 AM

IPS logs in semi-unified

Hello All - I'm working with my client to set-up logging via syslog.

> Client has set-up syslog logging under "raw" mode and we are seeing IPS blade logs in the SIEM(514/UDP).

> We requested to set-up an additional logging using semi-unified for an another project on the same SIEM but on a different port (1514/UDP).

> I can see the IPS blade logs on the old log exporter but not on the new log exporter (1514/UDP).

> Client claims that there were no additional configuration that was performed by him for the old exporter.

> Is there an option that needs to be enabled separately to enable , to send IPS blade logs on the new exporter? 

 

[Expert@**hidden**:0]# cp_log_export show
name: **hidden**
enabled: true
target-server: **hidden**
target-port: 514
protocol: udp
format: syslog
read-mode: raw
export-attachment-ids: false
export-link: false
export-attachment-link: false
time-in-milli: false

(new exporter)
name: **hidden**
enabled: true
target-server: **hidden**
target-port: 1514
protocol: udp
format: syslog
read-mode: semi-unified
export-attachment-ids: false
export-link: false
export-attachment-link: false
time-in-milli: false

0 Kudos
2 Replies
Timothy_Hall
Legend Legend
Legend
‎2021-01-27 07:07 AM

What happens if the 1514 exporter is set to raw of semi-unified?  The answer should tell you if it is an issue with the non-standard port number (like an implied rule or something) or the read-mode setting.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos
ohhdiddlediddle
Explorer
‎2021-01-27 07:32 AM
In response to Timothy_Hall

Hello - I will certainly check the implied rules portion. The new exporter is set to semi-unified because of a testing that we would like to perform on the log collector. We have some issues with the parsing of IPS logs in raw mode so we would like to test the IPS logs under semi-unified mode.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events