Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
snghoshi
Participant

Log Exporter filter

Hi, I'm experiencing issues with filtering the logs to export to my external Syslog server from the R80.40.

It seems like any filtering command/option that I enter then all export stops. I am trying to not export traffic events(allowed or denied traffic).

Can someone please share sample config or syntax that I can use?

 

0 Kudos
11 Replies
PhoneBoy
Admin
Admin

I think there is a few examples (or a link to an SK with them) here: https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-Filtering/m-p/10359
Dan_Zada
Employee Alumnus
Employee Alumnus

Can you please share the commend/filter configuration you used?

Thanks!

Shay_Hibah
Employee Alumnus
Employee Alumnus

Hi,

 

From your question I can only guess that:

1. Maybe your filtering file is incorrect.

2. Maybe you use a wrong field names to filter on and therefore not traffic is seen on your syslog server.

 

Can you please share your filterConfiguration.xml and targetConfiguration.xml files?

 

Shay

snghoshi
Participant

Hi All,

 

here is my targetConfiguration.xmll file

The logs are indeed coming through however, i am also receiving connection logs. i.e accepted traffic connections.

 

<?xml version="1.0" encoding="utf-8"?>
<export id="targetObjectUID"><!--object uuid!-->
<version>5</version> <!-- Version of this file-->
<is_enabled>true</is_enabled><!--Is the process allowed to run, and start on cpstart-->
<!-- Destination section defines the properties of the export target -->
<destination type="syslog"> <!-- Target output type -->
<ip>x.x.x.x</ip><!--the ip of the syslog server-->
<port>1514</port><!--the port on which the syslog is listening to-->
<protocol>udp</protocol><!--udp/tcp-->
<!--the configuration of tls-->
<transport>
<security></security><!--clear/tls-->
<!-- the following section is relevant only if <security> is tls -->
<pem_ca_file></pem_ca_file>
<p12_certificate_file></p12_certificate_file>
<client_certificate_challenge_phrase></client_certificate_challenge_phrase>
</transport>
</destination>
<!-- Filter Configuration -->
<dynamicFilter>conf/FilterConfiguration.xml</dynamicFilter>
<!-- Source section defines the properties of the input stream that will be exported -->
<source>
<log_files>1</log_files><!-- on-line[default] | read logs from [number] days back (recommended) | specific file name -->
<log_types></log_types><!--all[default]|log|audit/-->
<folder></folder><!--$FWDIR/log[default]|specific path-->
<read_mode>raw</read_mode><!--raw[default]|semi-unified/-->
</source>
<export_log_link>true</export_log_link> <!-- True | False /-->
<export_attachment_link>false</export_attachment_link> <!-- True | False /-->
<export_link_ip></export_link_ip> <!-- empty [defaut] | external IP /-->
<!-- Format section determines the form (headers and mappings) of the exported logs -->
<format type="cef"> <!--syslog | cef | leef | generic | splunk | this parameter may differ from the type of destination, for example, destination type = files/format type = CEF -->
<resolver>
<mappingConfiguration></mappingConfiguration><!--if empty the fields are sent as is without renaming-->
<exportAllFields>true</exportAllFields> <!--in case exportAllFields=true - exported element in fieldsMapping.xml is ignored and fields not from fieldsMapping.xml are exported as notMappedField field-->
</resolver>
<!-- Format header configuration (actual to CEF see ./conf directory) -->
<formatHeaderFile></formatHeaderFile>
</format>

<!-- The following section is for future use of log filtering, please do not modify these values -
->
<filter filter_out_by_connection="true">
<field name="product">
<value>VPN-1 &amp; FireWall-1</value>
<value>HTTPS Inspection</value>
<value>VPN-1</value>
<value>Security Gateway/Management</value>
<value>Firewall</value>
<value>FG</value>
</field>
<field name="fw_subproduct">
<value>VPN-1 &amp; FireWall-1</value>
<value>HTTPS Inspection</value>
<value>VPN-1</value>
<value>Security Gateway/Management</value>
<value>Firewall</value>
<value>FG</value>
</field>
</filter>


</export>

Shay_Hibah
Employee Alumnus
Employee Alumnus

Hi,

Your target configuration looks OK.
Can you please share your FilterConfiguration.xml file?
I also want to make sure you have configured it correctly.

Thanks,
Shay
0 Kudos
snghoshi
Participant

here is my FilterConfiguration.xml

 

<filters>
<filterGroup operator="and">
<field name="action" operator="and">
</field>
<field name="origin" operator="and">
</field>
<field name="product" operator="and">
</field>
</filterGroup>
</filters>
~

0 Kudos
Shay_Hibah
Employee Alumnus
Employee Alumnus

Based on those 2 files it looks that you did not filter anything out and you should see all your logs in syslog server.

1. is that the case? if so, what do you want to filter?
2. If not, lets take it offline you and I (shayhi@checkpoint.com).

Shay
Cody_Von_Seelen
Participant
Participant

Per SK160754 it states that Filtering is not supported yet on R80.40.

Has this changed?

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Log Exporter SK122323 also states:

0 Kudos
Yaakov_Ohayon
Employee
Employee

@Cody_Von_Seelen 

You are totally right, Log Exporter filtering is supported in R80.40 and the documentation should be updated.

 

Thank you for noticing.

0 Kudos
Svendsen
Participant

But have the SK been updated yet - thats the question 🙂

0 Kudos
Yaakov_Ohayon
Employee
Employee

The SK will be updated in few days, we changed more sections there and added more details about new functionalities.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events