Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
NAMKYUN_KIM
Participant
Jump to solution

Log Exporter - Log Field description

Hello All,

This is Tim.

 

I'm using Checkpoint 4600 and Log Exporter to get Syslog from device into my log server.

Actually, It is pretty good well. 

 

but I don't know that when i explore the syslog which comes from checkpoint, I couldn't understand what each fields mean. 

https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-CEF-Field-Mappings/td-p/41060

Above link, there are lots of filed of syslog. but they don't tell us what each fields mean.

 

So, Where can I get information of syslog field?

0 Kudos
1 Solution

Accepted Solutions
masher
Employee
Employee

A recently added knowledge base article (sk144192) lists the fields, potential values, and it provides a proper description for each field. This link might provide the information that you seek.

 

View solution in original post

7 Replies
masher
Employee
Employee

A recently added knowledge base article (sk144192) lists the fields, potential values, and it provides a proper description for each field. This link might provide the information that you seek.

 

Pedro_Espindola
Advisor

Some types seem to be wrong in sk144192. For example:

When receiving logs from log exporter, the "action" field is actually a "string", not an "int". The values are "Accept","Drop", etc.

0 Kudos
DeletedUser
Not applicable
The values Accept, etc. are dictionary values resolved from a numeric int.
hth,
bob
0 Kudos
Pedro_Espindola
Advisor

Ok, but the fields "severity" and "confidence_level" are sent as integer, not resolved from dictionary. Why is "action" resolved?

It doesn't matter the original type of the field, if the purpose of the table is to help us in use with SIEM, I believe it should report the type that we will receive. Don't you agree?

 

 

0 Kudos
DeletedUser
Not applicable
Agree. Int is the underlying data structure, not necessarily how you will see it in the log exporter output. Will comment on the sk to this affect to get it to right person. Just fyi, this is also an option for others that for me has worked pretty well.
0 Kudos
Pedro_Espindola
Advisor

Bob,

I always comment on SKs that I don't agree with. Sometimes I get answers, most times I don't.

Thank you for also sending your comments!

0 Kudos
Dan_Zada
Employee Alumnus
Employee Alumnus

Thanks for the feedback!

I will look into it and will update.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events