This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Scottc98
Advisor
‎2023-11-06 09:11 AM

Log Exporter - Filter-origin-in question

Question on the log exporter settings and putting in a filter for only select Security Gateways.

Doing a POC and we just want to export syslogs to a select GW cluster for now (All logs).  

Following SK 122323, Im reading this as such

  1. cp_log_export add name POC  target-server <target-ip>  target-port 514 protocol udp
  2. cp_log_export set name POC filter-origin-in {"Origin1","Origin2"}
  3. cp_log_export restart name POC

 

For the origin in, is that truely reflected input based on the Gateway names within SmartConsole or via its actual IP address?

If its via the gateway names, do i have to specify both Gateway A and B in the cluster or can i just use the single cluster object to cover both?     I know I can filter logs with in Smartconsole by the cluster object to see logs for both members but not sure if this translates over.  

Been looking at some past posts within checkmates and its seems there are some mentioning that you need to use the IP address for the origin as that is what is translated back to the syslog server but the notes in the SK  (and R81.20 CLI & logging guides) seem to really mention the name:

"Specifies whether to export all logs that contain a specific value in the "Origin" field (the object name of the Security Gateway/ Cluster Member that generated these logs).

Thanks in advance for any help/clarification that can be provided

Scottc98_3-1699290569602.gif

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2023-11-06 03:16 PM

Logs are sent from the individual cluster members, so the origin of the gateway is what matters.
I don't recall if it's the IP or hostname that actually gets exported, though.

0 Kudos
Scottc98
Advisor
‎2023-11-07 09:22 AM
In response to PhoneBoy

This SK (sk171946) is one that I saw that mentioned IP verses hostname.

What I am not sure about:

1) is that still the case (i.e a manual workaround is required but not in the docs) or some 'bug' that has been fixed in new releases

2) If you have to go to the XML to edit the hostnames with the actual IPs, can you just use the IPs in the original config?

  • Example:  

    cp_log_export set name POC filter-origin-in {"192.168.1.1","192.168.1.2"}

If the long term intention is that you need to use the IPs, then the documentation would just need to be updated to reflect that.

If the long term intention is to use the hostnames, then the 'bug' should be fixed to respect that in the XML file or to have the XML file corrected to translate the names => IP.

 

0 Kudos
Scottc98
Advisor
‎2023-11-07 09:41 AM
In response to Scottc98

Ok.....so while I don't have an export source to validate logs.....and can state the following:

Note:  Based on SMS server R81.10 Take 113

1)   filter-origin-in will except either GW name or IP, including in combination.

2) The string had an error and no need to add the { }

cp_log_export set name POC filter-origin-in "192.168.1.1","192.168.1.2"

 

What is kind of strange is that the config takes and the XLM output is the same if you did  "192.168.1.1,192.168.1.2"  - With quotes only at the front and end of the entire string verses quotes around each IP entry.

 

So...i think i have a means to use either IP or hostname but would love if someone CP internally can tell me if the IP is still a requirement in select code trains or if its on the road map to be fixed.

I can deal with entering via IP for my POC to start 😉

 

 

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-07 12:33 PM
In response to Scottc98

Given sk171946, I would say the safest thing to use is an IP address.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events