This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NAMKYUN_KIM
Participant
‎2019-07-11 09:53 PM
Jump to solution

Log Exporter - Log Field description

Hello All,

This is Tim.

 

I'm using Checkpoint 4600 and Log Exporter to get Syslog from device into my log server.

Actually, It is pretty good well. 

 

but I don't know that when i explore the syslog which comes from checkpoint, I couldn't understand what each fields mean. 

https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-CEF-Field-Mappings/td-p/41060

Above link, there are lots of filed of syslog. but they don't tell us what each fields mean.

 

So, Where can I get information of syslog field?

0 Kudos
1 Solution

Accepted Solutions
masher
Employee
Employee
‎2019-07-12 10:21 AM
Jump to solution

A recently added knowledge base article (sk144192) lists the fields, potential values, and it provides a proper description for each field. This link might provide the information that you seek.

 

View solution in original post

7 Replies
masher
Employee
Employee
‎2019-07-12 10:21 AM
Jump to solution

A recently added knowledge base article (sk144192) lists the fields, potential values, and it provides a proper description for each field. This link might provide the information that you seek.

 

Pedro_Espindola
Advisor
‎2019-08-02 02:32 PM
In response to masher
Jump to solution

Some types seem to be wrong in sk144192. For example:

When receiving logs from log exporter, the "action" field is actually a "string", not an "int". The values are "Accept","Drop", etc.

0 Kudos
DeletedUser
Not applicable
‎2019-08-03 09:09 PM
In response to Pedro_Espindola
Jump to solution

The values Accept, etc. are dictionary values resolved from a numeric int.
hth,
bob
0 Kudos
Pedro_Espindola
Advisor
‎2019-08-05 07:29 AM
In response to DeletedUser
Jump to solution

Ok, but the fields "severity" and "confidence_level" are sent as integer, not resolved from dictionary. Why is "action" resolved?

It doesn't matter the original type of the field, if the purpose of the table is to help us in use with SIEM, I believe it should report the type that we will receive. Don't you agree?

 

 

0 Kudos
DeletedUser
Not applicable
‎2019-08-05 04:07 PM
In response to Pedro_Espindola
Jump to solution

Agree. Int is the underlying data structure, not necessarily how you will see it in the log exporter output. Will comment on the sk to this affect to get it to right person. Just fyi, this is also an option for others that for me has worked pretty well.
0 Kudos
Pedro_Espindola
Advisor
‎2019-08-05 04:13 PM
In response to DeletedUser
Jump to solution

Bob,

I always comment on SKs that I don't agree with. Sometimes I get answers, most times I don't.

Thank you for also sending your comments!

0 Kudos
Dan_Zada
Employee Alumnus
Employee Alumnus
‎2019-08-07 04:47 AM
In response to Pedro_Espindola
Jump to solution

Thanks for the feedback!

I will look into it and will update.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top