This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gregory_Link
Contributor
‎2022-08-04 06:42 PM
Jump to solution

Log Exporter - Filtering out specific blades

I just upgraded from R80.20 -> R81.10 and created some custom parsing in our Logrhythm SIEM for Checkpoint Syslog Exporter.  However, we get little to no value from specific blades and I would like to exclude those from sending to our SIEM.  Specifically I would like to exclude HTTPS Inspection.  I see a lot of options for filtering in by blade but not filtering out a blade.  Any help here?

0 Kudos
1 Solution

Accepted Solutions
Gregory_Link
Contributor
‎2022-08-05 08:32 AM
In response to Kaspars_Zibarts
Jump to solution

Thanks, that worked for me.  Although I had to adjust to focus on Product since a lot of the other blades have inspection actions in the values.  I used the below filter.  This works since the blade name is mapped to product in Logrhythm.

<filters>
<filterGroup operator="and">
<field name="product" operator="or">
<value operation="neq">https inspection</value>
</field>
</filterGroup>
</filters>

View solution in original post

0 Kudos
6 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-08-05 04:07 AM
Jump to solution

Configuration Method Description

Using the cp_log_exportcommand

This command configure filtering for Action / Blade / Origin fields only.

The syntax is:

  • cp_log_export set name <name> filter-action-in "value1,value2"

  • cp_log_export set name <name> filter-origin-in "value1,value2"

  • cp_log_export set name <name> filter-blade-in "value2"

In addition, it is possible to use predefined families for "filter-blade-in" value:

  • Access - For exporting Access logs only (Security Gateway/Management, VPN-1 & FireWall-1, Firewall, Application Control, URL Filtering, Content Awareness, Connectra, Mobile Access, Compliance blade, Core, DDoS Protector, Identity Awareness, Identity Logging, UA WebAccess).
  • TP - For exporting Threat Prevention logs only (Anti-Bot, Anti-Malware, Threat Emulation, IPS, IPS-1, SmartDefense, Anti-Virus, New Anti Virus, Anti-Spam and Email Security, Threat Extraction, MTA).
  • EndPoint - For exporting Endpoint logs only (Anti-Bot, Anti Malware, Threat Emulation, IPS, IPS-1, SmartDefense, Anti-Virus, New Anti Virus, Anti-Spam and Email Security, Threat Extraction, MTA ).
  • Mobile - For exporting Mobile logs only (WIFI Network, Mobile App, OS Exploits, Device, Network Security, Cellular Network, Network Access, iOS Profiles, Text Message, On-device Network Protection).

 

From: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
just13pro
Collaborator
‎2022-08-05 04:37 AM
In response to G_W_Albrecht
Jump to solution

I have the same case with TS, follow the filter as per sk but the SIEM become not receiving any logs and I saw message "Logs Formatter :: Process Log Skipped".

 

Any idea?

 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-08-05 04:46 AM
In response to just13pro
Jump to solution

I would suggest to contact TAC to get this resolved !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Gregory_Link
Contributor
‎2022-08-05 07:09 AM
In response to G_W_Albrecht
Jump to solution

I saw this but there is only a filter in option not a filter out option.  So do I need to specify all blades I need to filter in?  I also don't see HTTPS inspection blade in any of the families.  Would that be excluded if I select just Access and TP?

0 Kudos
(1)
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-08-05 07:28 AM
In response to Gregory_Link
Jump to solution

Have you tried playing with FilterConfiguration.xml file? sk122323

Fields can be found here sk144192 

You could try excluding https_inspection_action or specific HTTPS rule UID (apparently name is not supported)

<field name="https_inspection_action" operator="or">
  <value operation="neq">Inspect</value>
  <value operation="neq">Bypass</value>
  <value operation="neq">Error</value>
</field>

 

Gregory_Link
Contributor
‎2022-08-05 08:32 AM
In response to Kaspars_Zibarts
Jump to solution

Thanks, that worked for me.  Although I had to adjust to focus on Product since a lot of the other blades have inspection actions in the values.  I used the below filter.  This works since the blade name is mapped to product in Logrhythm.

<filters>
<filterGroup operator="and">
<field name="product" operator="or">
<value operation="neq">https inspection</value>
</field>
</filterGroup>
</filters>

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events