Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MariyaB
Explorer

Log Exporter Field Filtering

Hello,
I have a few questions in regards to the Log Exporter feature (I'm also a bit new with CheckPoints, used to work mainly with Cisco FTDs and ASAs). We run a R80.40 Management Server where the Log Exporter was set up (all the GWs send their logs to the management blade). We have recently started with implementing ELK with the log exporter and we are trying to filter and diminish the amount of information going to the ELK (otherwise we run out of space). I tried various setups of the fieldsMapping.xml - the end goal is to remove unnecessary fields from the logs. The issue is that whenever I use the blacklist approach (which fields are not to be exported) I end up removing most of the information from the log, I tested also whitelisting, but the different logs contain various fields we need and that can be missed out. I tried using the match_table where needed (e.g. layer_uuid) but that ends up stopping the Log Exporter process altogether. I tested also filtering with the FilterConfiguration.xml but the managed to only filter by action (e.g. drop, accept and so on) but the information filtered that way is not enough. I have been looking through the forum for a more cohesive guide in regards to the setup of the log filtering, as I either remove too much information or none at all.

The target config was:

<mappingConfiguration>fieldsMapping.xml</mappingConfiguration>
<exportAllFields>true</exportAllFields>

An sample mapping I tested(from my blacklist tests):

<?xml version="1.0" encoding="utf-8"?>
<fields>
<field>
<origName>product</origName>
<exported>false</exported>
</field>
<field>
<origName>origin</origName>
<exported>false</exported>
</field>
<field>
<origName>origin_sic_name</origName>
<exported>false</exported>
</field>
<field>
<origName>proto</origName>
<exported>false</exported>
</field>
<field>
<origName>rule_action</origName>
<exported>false</exported>

</field>
<field>
<origName>s_port</origName>
<exported>true</exported>
</field>
<field>
<origName>src_ip</origName>
<exported>false</exported>
</field>
<field>
<origName>src_user_dn</origName>
<exported>false</exported>
</field>

<field>
<origName>match_id</origName>
<exported>false</exported>
</field>
<field>
<origName>user_agent</origName>
<exported>false</exported>
</field>
<field>
<origName>app_category</origName>
<exported>false</exported>
</field>
<field>
<origName>sequencenum</origName>
<exported>false</exported>
</field>
<field>
<origName>service</origName>
<exported>false</exported>
</field>
</fields>

Thank you in advance.

0 Kudos
1 Reply

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events