This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MariyaB
Explorer
‎2021-02-25 06:20 AM

Log Exporter Field Filtering

Hello,
I have a few questions in regards to the Log Exporter feature (I'm also a bit new with CheckPoints, used to work mainly with Cisco FTDs and ASAs). We run a R80.40 Management Server where the Log Exporter was set up (all the GWs send their logs to the management blade). We have recently started with implementing ELK with the log exporter and we are trying to filter and diminish the amount of information going to the ELK (otherwise we run out of space). I tried various setups of the fieldsMapping.xml - the end goal is to remove unnecessary fields from the logs. The issue is that whenever I use the blacklist approach (which fields are not to be exported) I end up removing most of the information from the log, I tested also whitelisting, but the different logs contain various fields we need and that can be missed out. I tried using the match_table where needed (e.g. layer_uuid) but that ends up stopping the Log Exporter process altogether. I tested also filtering with the FilterConfiguration.xml but the managed to only filter by action (e.g. drop, accept and so on) but the information filtered that way is not enough. I have been looking through the forum for a more cohesive guide in regards to the setup of the log filtering, as I either remove too much information or none at all.

The target config was:

<mappingConfiguration>fieldsMapping.xml</mappingConfiguration>
<exportAllFields>true</exportAllFields>

An sample mapping I tested(from my blacklist tests):

<?xml version="1.0" encoding="utf-8"?>
<fields>
<field>
<origName>product</origName>
<exported>false</exported>
</field>
<field>
<origName>origin</origName>
<exported>false</exported>
</field>
<field>
<origName>origin_sic_name</origName>
<exported>false</exported>
</field>
<field>
<origName>proto</origName>
<exported>false</exported>
</field>
<field>
<origName>rule_action</origName>
<exported>false</exported>

</field>
<field>
<origName>s_port</origName>
<exported>true</exported>
</field>
<field>
<origName>src_ip</origName>
<exported>false</exported>
</field>
<field>
<origName>src_user_dn</origName>
<exported>false</exported>
</field>

<field>
<origName>match_id</origName>
<exported>false</exported>
</field>
<field>
<origName>user_agent</origName>
<exported>false</exported>
</field>
<field>
<origName>app_category</origName>
<exported>false</exported>
</field>
<field>
<origName>sequencenum</origName>
<exported>false</exported>
</field>
<field>
<origName>service</origName>
<exported>false</exported>
</field>
</fields>

Thank you in advance.

0 Kudos
1 Reply

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events