Solved: Log Exporter - Filtering out specific blades

Gregory_Link · ‎2022-08-04

I just upgraded from R80.20 -> R81.10 and created some custom parsing in our Logrhythm SIEM for Checkpoint Syslog Exporter. However, we get little to no value from specific blades and I would like to exclude those from sending to our SIEM. Specifically I would like to exclude HTTPS Inspection. I see a lot of options for filtering in by blade but not filtering out a blade. Any help here?

Gregory_Link · ‎2022-08-05

Thanks, that worked for me. Although I had to adjust to focus on Product since a lot of the other blades have inspection actions in the values. I used the below filter. This works since the blade name is mapped to product in Logrhythm.

<filters>
<filterGroup operator="and">
<field name="product" operator="or">
<value operation="neq">https inspection</value>
</field>
</filterGroup>
</filters>

View solution in original post

G_W_Albrecht · ‎2022-08-05

Configuration Method Description

Using the cp_log_exportcommand

This command configure filtering for Action / Blade / Origin fields only.

The syntax is:

cp_log_export set name <name> filter-action-in "value1,value2"
cp_log_export set name <name> filter-origin-in "value1,value2"
cp_log_export set name <name> filter-blade-in "value2"

In addition, it is possible to use predefined families for "filter-blade-in" value:

Access - For exporting Access logs only (Security Gateway/Management, VPN-1 & FireWall-1, Firewall, Application Control, URL Filtering, Content Awareness, Connectra, Mobile Access, Compliance blade, Core, DDoS Protector, Identity Awareness, Identity Logging, UA WebAccess).
TP - For exporting Threat Prevention logs only (Anti-Bot, Anti-Malware, Threat Emulation, IPS, IPS-1, SmartDefense, Anti-Virus, New Anti Virus, Anti-Spam and Email Security, Threat Extraction, MTA).
EndPoint - For exporting Endpoint logs only (Anti-Bot, Anti Malware, Threat Emulation, IPS, IPS-1, SmartDefense, Anti-Virus, New Anti Virus, Anti-Spam and Email Security, Threat Extraction, MTA ).
Mobile - For exporting Mobile logs only (WIFI Network, Mobile App, OS Exploits, Device, Network Security, Cellular Network, Network Access, iOS Profiles, Text Message, On-device Network Protection).

From: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

just13pro · ‎2022-08-05

I have the same case with TS, follow the filter as per sk but the SIEM become not receiving any logs and I saw message "Logs Formatter :: Process Log Skipped".

Any idea?

G_W_Albrecht · ‎2022-08-05

I would suggest to contact TAC to get this resolved !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Gregory_Link · ‎2022-08-05

I saw this but there is only a filter in option not a filter out option. So do I need to specify all blades I need to filter in? I also don't see HTTPS inspection blade in any of the families. Would that be excluded if I select just Access and TP?

Kaspars_Zibarts · ‎2022-08-05

Have you tried playing with FilterConfiguration.xml file? sk122323

Fields can be found here sk144192

You could try excluding https_inspection_action or specific HTTPS rule UID (apparently name is not supported)

<field name="https_inspection_action" operator="or">
  <value operation="neq">Inspect</value>
  <value operation="neq">Bypass</value>
  <value operation="neq">Error</value>
</field>

Gregory_Link · ‎2022-08-05

Thanks, that worked for me. Although I had to adjust to focus on Product since a lot of the other blades have inspection actions in the values. I used the below filter. This works since the blade name is mapped to product in Logrhythm.

<filters>
<filterGroup operator="and">
<field name="product" operator="or">
<value operation="neq">https inspection</value>
</field>
</filterGroup>
</filters>

Are you a member of CheckMates?

Log Exporter - Filtering out specific blades