This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
snghoshi
Participant
‎2020-05-28 11:12 AM

Log Exporter filter

Hi, I'm experiencing issues with filtering the logs to export to my external Syslog server from the R80.40.

It seems like any filtering command/option that I enter then all export stops. I am trying to not export traffic events(allowed or denied traffic).

Can someone please share sample config or syntax that I can use?

 

0 Kudos
11 Replies
PhoneBoy
Admin
Admin
‎2020-05-30 10:09 PM

I think there is a few examples (or a link to an SK with them) here: https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-Filtering/m-p/10359
Dan_Zada
Employee Alumnus
Employee Alumnus
‎2020-06-02 01:54 AM

Can you please share the commend/filter configuration you used?

Thanks!

Shay_Hibah
Employee Alumnus
Employee Alumnus
‎2020-06-02 02:23 AM

Hi,

 

From your question I can only guess that:

1. Maybe your filtering file is incorrect.

2. Maybe you use a wrong field names to filter on and therefore not traffic is seen on your syslog server.

 

Can you please share your filterConfiguration.xml and targetConfiguration.xml files?

 

Shay

snghoshi
Participant
‎2020-06-03 09:38 AM
In response to Shay_Hibah

Hi All,

 

here is my targetConfiguration.xmll file

The logs are indeed coming through however, i am also receiving connection logs. i.e accepted traffic connections.

 

<?xml version="1.0" encoding="utf-8"?>
<export id="targetObjectUID"><!--object uuid!-->
<version>5</version> <!-- Version of this file-->
<is_enabled>true</is_enabled><!--Is the process allowed to run, and start on cpstart-->
<!-- Destination section defines the properties of the export target -->
<destination type="syslog"> <!-- Target output type -->
<ip>x.x.x.x</ip><!--the ip of the syslog server-->
<port>1514</port><!--the port on which the syslog is listening to-->
<protocol>udp</protocol><!--udp/tcp-->
<!--the configuration of tls-->
<transport>
<security></security><!--clear/tls-->
<!-- the following section is relevant only if <security> is tls -->
<pem_ca_file></pem_ca_file>
<p12_certificate_file></p12_certificate_file>
<client_certificate_challenge_phrase></client_certificate_challenge_phrase>
</transport>
</destination>
<!-- Filter Configuration -->
<dynamicFilter>conf/FilterConfiguration.xml</dynamicFilter>
<!-- Source section defines the properties of the input stream that will be exported -->
<source>
<log_files>1</log_files><!-- on-line[default] | read logs from [number] days back (recommended) | specific file name -->
<log_types></log_types><!--all[default]|log|audit/-->
<folder></folder><!--$FWDIR/log[default]|specific path-->
<read_mode>raw</read_mode><!--raw[default]|semi-unified/-->
</source>
<export_log_link>true</export_log_link> <!-- True | False /-->
<export_attachment_link>false</export_attachment_link> <!-- True | False /-->
<export_link_ip></export_link_ip> <!-- empty [defaut] | external IP /-->
<!-- Format section determines the form (headers and mappings) of the exported logs -->
<format type="cef"> <!--syslog | cef | leef | generic | splunk | this parameter may differ from the type of destination, for example, destination type = files/format type = CEF -->
<resolver>
<mappingConfiguration></mappingConfiguration><!--if empty the fields are sent as is without renaming-->
<exportAllFields>true</exportAllFields> <!--in case exportAllFields=true - exported element in fieldsMapping.xml is ignored and fields not from fieldsMapping.xml are exported as notMappedField field-->
</resolver>
<!-- Format header configuration (actual to CEF see ./conf directory) -->
<formatHeaderFile></formatHeaderFile>
</format>

<!-- The following section is for future use of log filtering, please do not modify these values -
->
<filter filter_out_by_connection="true">
<field name="product">
<value>VPN-1 &amp; FireWall-1</value>
<value>HTTPS Inspection</value>
<value>VPN-1</value>
<value>Security Gateway/Management</value>
<value>Firewall</value>
<value>FG</value>
</field>
<field name="fw_subproduct">
<value>VPN-1 &amp; FireWall-1</value>
<value>HTTPS Inspection</value>
<value>VPN-1</value>
<value>Security Gateway/Management</value>
<value>Firewall</value>
<value>FG</value>
</field>
</filter>


</export>

Shay_Hibah
Employee Alumnus
Employee Alumnus
‎2020-06-03 12:46 PM
In response to snghoshi

Hi,

Your target configuration looks OK.
Can you please share your FilterConfiguration.xml file?
I also want to make sure you have configured it correctly.

Thanks,
Shay
0 Kudos
snghoshi
Participant
‎2020-06-03 11:33 PM
In response to Shay_Hibah

here is my FilterConfiguration.xml

 

<filters>
<filterGroup operator="and">
<field name="action" operator="and">
</field>
<field name="origin" operator="and">
</field>
<field name="product" operator="and">
</field>
</filterGroup>
</filters>
~

0 Kudos
Shay_Hibah
Employee Alumnus
Employee Alumnus
‎2020-06-03 11:41 PM
In response to snghoshi

Based on those 2 files it looks that you did not filter anything out and you should see all your logs in syslog server.

1. is that the case? if so, what do you want to filter?
2. If not, lets take it offline you and I (shayhi@checkpoint.com).

Shay
Cody_Von_Seelen
Participant
Participant
‎2020-09-28 01:21 PM
In response to Shay_Hibah

Per SK160754 it states that Filtering is not supported yet on R80.40.

Has this changed?

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Log Exporter SK122323 also states:

0 Kudos
Yaakov_Ohayon
Employee
Employee
‎2020-09-28 11:18 PM
In response to Cody_Von_Seelen

@Cody_Von_Seelen 

You are totally right, Log Exporter filtering is supported in R80.40 and the documentation should be updated.

 

Thank you for noticing.

0 Kudos
Svendsen
Participant
‎2021-03-17 07:58 AM
In response to Yaakov_Ohayon

But have the SK been updated yet - thats the question 🙂

0 Kudos
Yaakov_Ohayon
Employee
Employee
‎2021-03-18 07:07 AM
In response to Svendsen

The SK will be updated in few days, we changed more sections there and added more details about new functionalities.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events