- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Log Exporter - Filtering out specific blades
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Log Exporter - Filtering out specific blades
I just upgraded from R80.20 -> R81.10 and created some custom parsing in our Logrhythm SIEM for Checkpoint Syslog Exporter. However, we get little to no value from specific blades and I would like to exclude those from sending to our SIEM. Specifically I would like to exclude HTTPS Inspection. I see a lot of options for filtering in by blade but not filtering out a blade. Any help here?
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, that worked for me. Although I had to adjust to focus on Product since a lot of the other blades have inspection actions in the values. I used the below filter. This works since the blade name is mapped to product in Logrhythm.
<filters>
<filterGroup operator="and">
<field name="product" operator="or">
<value operation="neq">https inspection</value>
</field>
</filterGroup>
</filters>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configuration Method | Description |
Using the |
This command configure filtering for Action / Blade / Origin fields only. The syntax is:
In addition, it is possible to use predefined families for "
|
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same case with TS, follow the filter as per sk but the SIEM become not receiving any logs and I saw message "Logs Formatter :: Process Log Skipped".
Any idea?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest to contact TAC to get this resolved !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I saw this but there is only a filter in option not a filter out option. So do I need to specify all blades I need to filter in? I also don't see HTTPS inspection blade in any of the families. Would that be excluded if I select just Access and TP?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried playing with FilterConfiguration.xml file? sk122323
Fields can be found here sk144192
You could try excluding https_inspection_action or specific HTTPS rule UID (apparently name is not supported)
<field name="https_inspection_action" operator="or">
<value operation="neq">Inspect</value>
<value operation="neq">Bypass</value>
<value operation="neq">Error</value>
</field>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, that worked for me. Although I had to adjust to focus on Product since a lot of the other blades have inspection actions in the values. I used the below filter. This works since the blade name is mapped to product in Logrhythm.
<filters>
<filterGroup operator="and">
<field name="product" operator="or">
<value operation="neq">https inspection</value>
</field>
</filterGroup>
</filters>
