This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dan_Zada
Employee Alumnus
Employee Alumnus
‎2019-03-05 07:11 AM

Log Exporter Filtering

Hello all,

I'm happy to inform you that we added a new feature to the log exporter - the ability to filter logs.

Starting today, you will be able to configure which logs will exported, based on fields and values, including complex statements.

More information, including basic and advanced filtering instructions, can be found in SK122323.

If you have any question or comment, let me know.

Thanks!

Dan.

Labels
72 Replies
Shay_Hibah
Employee Alumnus
Employee Alumnus
‎2021-02-01 12:09 AM
In response to Antonis_Hassiot

@Antonis_Hassiot 

What format are you using as part of Log Exporter configuration?

0 Kudos
Antonis_Hassiot
Contributor
‎2021-02-01 12:18 AM
In response to Shay_Hibah

target-port: 12010
protocol: tcp
format: splunk
read-mode: semi-unified
export-link: false
export-attachment-link: false
export-attachment-ids: Found

0 Kudos
Shay_Hibah
Employee Alumnus
Employee Alumnus
‎2021-02-01 09:09 AM
In response to Antonis_Hassiot

Please send my your FilterConfiguration.xml file to my email and we will take it offline from there.

Shayhi@checkpoint.com

0 Kudos
MariuszT
Explorer
‎2023-02-06 11:35 PM
In response to Shay_Hibah

Hi,

I know this is an old topic, but does anything changed in that matter? Can you write filter based on subnets?

Greetings,

Mariusz

0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2023-02-09 03:06 AM
In response to MariuszT

According to the SK it looks to be supported:

 

Capture.PNG

Kind regards, Amir Senn
0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-09 09:04 AM
In response to Amir_Senn

The issue, I believe, is that you would have to list each IP address in the subnet.
Or it is possible to reference an entire subnet or range of addresses, but the syntax for doing so is not documented.

0 Kudos
MariuszT
Explorer
‎2023-02-09 09:12 AM
In response to PhoneBoy

Unfortunnatly you're right. I've opened SR Question with TAC and received answer:

"It can not cover a range and it needs to be a value from log, not without putting a new line for every ip in that range we can do this"

The case is I'd like to filter out several /16 networks. If I put just one net like that it makse 65k records and CPU cores on log server associated with log exporter are 100%, and very little logs are exported.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-10 09:57 AM
In response to MariuszT

I would work with your local Check Point office on an RFE for this.

0 Kudos
Ned_Stark
Contributor
‎2020-05-20 10:59 AM

Hello friends,

I have a 1450 appliance  Version R77.20.85 (990172755)   

How can I get the configuracion log exporter  for this appliance?  I see that sk 122323  is for R77.30 and above.

 

 

Thanks 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-05-20 04:28 PM
In response to Ned_Stark

Log Exporter is not supported on SMB appliances.
The 1500 series running R80.20 code can natively export security logs via Syslog.
Dorit_Dor
Employee
Employee
‎2020-05-21 12:14 AM
In response to PhoneBoy

to be clear:

Log exporter is running on the log server/management and it is agnostic to which GW generated the data.

Ned_Stark
Contributor
‎2020-05-21 09:30 AM
In response to Dorit_Dor

Ok,  thanks a lot.  

Nice day.  

 

0 Kudos
Ned_Stark
Contributor
‎2020-05-21 09:29 AM
In response to PhoneBoy

Thanks a lot.   

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events