Hi,

Any help regarding this question? 

I am exporting logs to Splunk with semi-unified mode on, but we are getting all the logs not only the supressed ones.

For example for one loguid we are getting 4 different logs. As in the question mentioned here: https://community.checkpoint.com/t5/Logging-and-Reporting/Log-exporter-not-summary-logging-to-one-ev...

Would be very helpful if it is possible just to export the last summarized event...

Thanks

Hi,

I'm trying to filter using the predefined TP "product" with the filter-blade-in option per the example given in sk122323.  Currently all logs are being exported.  I get the following output:

cp_log_export set name <name obfuscated> filter-blade-in "TP"
Error: Argument [filter-blade-in] is undefined for command: [set]

This is on an R80.20 GA w/JHFA 33 open management server with logging.

One other point of clarification - the description for TP in the sk does not include IPS.  I only see that in the EndPoint description.  Was this an omission in the description or is it really not included in the TP filter?

Thanks for the help!

Hi Richard,

Sadly, the new log-exporter filtering feature isn't yet supported on R80.20 / R80.30.

from the official log-exporter sk122323 (Installation section):

"Note: Filtering ability is not integrated to R80.20 and R80.30 yet, this SK will be updated when it will be supported."

Coming soon...

*In-general, TP filter includes all Threat blades (including IPS blade).

I have a case about integration with Aruba ClearPass ， Aruba hope checkpoint SMS send syslog to ClearPass ，and give me a conf file like this。 which XML file should I edit? and which  Field?

CheckPoint_IngressEvent.xml:

hi,

interesting feature.

2 questions regarding this one:

1.  is it possible to export the main CMA ? (content of /opt/CPmds-R80.30/log)

      I tried the command but a warning appears: Failed to change env to customer: <IP.IP.IP.IP> 

2. Is it possible to export a single domain to multiple destinations? target-server 1 & target-server 2

Thanks

Best Regards

Hi S_E_ (Nickel),

1. Yea. You just need to use the domain-server mds for the mds/global level.

      "On MDS/MLM: domain-server argument is mandatory, you can use 'mds' as the value for domain-server in order to export mds level audit logs"

2. Yea. You just need to add another log-exporter on that same domain-server, but with a different target-server <IP>.

      quick shortcut way to create another identical exporter is simply copying entire folder (It'll also register it as new. Simply edit what you need afterwards, by either using the set command or manually) by:

       mdsenv <relevant domain-name/IP>

       cp -rf $EXPORTERDIR/targets/<name> $EXPORTERDIR/targets/<new_name>

Hi @Dror_Aharony ,

We aren't receiving audit logs using the Log exporter guide. You mentioned that the domain-server argument needs to be added while configuring the destination. Please help how can I confirm whether the domain-server argument is added in my configuration.

My current configuration is given below which I got by running command cp_log_export show "name":

name: ArcSightLog
enabled: true
target-server: (AGENT SERVER IP)
target-port: 514
protocol: udp
format: cef
read-mode: semi-unified

Regards,

Mitesh Agrawal

domain-server is only needed/required on an MDS server.

so if you don't see it, then it's not an MDS, right?

in-general, you simply add another flag: domain-server <CMA>

# cp_log_export add/set....domain-server <CMA/DMS>

Can you tell us if this has been resolved yet?

Hi there,

Regarding to "System Monitor" type of logs, what can I expect to see?

More background about my question.

We are on R80.30.  We have been using the old (classic/legacy) way to export CP logs to Splunk via the OPSEC LEA connection.

Been working fine.  For "system" type of messages, I can see log when firewall policy being pushed with the admin username.  I also able to see some messages regarding to high CPU usage or cluster status alert, similar to those "control" or "alert" type messages I see in the native Smart Console Log view.

Last week we switched to use the Log Exporter to Splunk (we also got the Check Point for Splunk apps installed).

What I am trying to figure out is how to get back those "policy installation" and "system status" log in Splunk.

I manage to find the "policy installation" log via Splunk (index="network_firewalls" source=tcp:11002
sys_message="installed*"), but the log didn't include the admin username.

But for other system status/alert type of log, I am not able to find them in Splunk.

First question is if what I am trying to do is available under LogExporter method?

If so, which direction or field values I should search in Splunk?

I see there is a field "product=System Monitor" but it doesn't seem contains much useful system log messages.

Thanks in advance.

All such logs should be exported to splunk assuming you don't have any filter.

if you see them in the SmartConsole's Logs view for this Log-Server/Management.

product=System Monitor should work (translated to splunk matching filter).

Can you share an example pic (or copy fields) of a system monitor log you'd like to see, but is missing or cannot be found on your splunk using log-exporter?

Hi @LostBoY 

On R80.40 Log Exporter feature is already integrated and you can use it without any other fix installation.

When you configure Log Exporter, by default all logs (both security and audit) are exported to the target server.

In order to check where the problem is, I would suggest you to:

1. Make sure the logs can be seen in your Log Server by connecting to this server via SmartConsole and make sure you are able to see them.

2. Check if these logs can be found on your syslog server.

In case it doesn't help to find the issue, I would suggest you to open a ticket for a further investigation.

If you would like to, you can upload / send me your exporter directory and I will be able to take a look at your exporter configuration to see if I found any errors.

Shay

Thanks for the reply... my log server is the mgmt server and i can see the logs via smartconsole..

At the syslog side.. the process id of log exporter is visible and mgmt hostname is being populated but there arent any traffic logs..

Which exact directory do i need to fetch and where should i upload it ? 

Zip the directory $EXPORTERDIR/targets<your_exporter_name>

You can upload it to here or send me by email: shayhi@checkpoint.com and we will take it from there.

Hi,

We are currently checking the issue.

Can you say if you had network issues in the past?

looks like if there is a network issue the exporter closes the connections on its side and tries to open new connections until it succeeds, but on SIEM side the old connections are also still open (still under investigation).

Hi @bigjim 

My name in Miri Ofir, I'm the group manager in charge of Logging products.

In regards to many open connections on SIEM, is it a new issue in your log exporter that you started to see recently?

Usually, based on previous cases, the problem of abandoned connection was something on the SIEM side that didn't clear them. I suggest to check this direction. What is the destination type? 

Hi @Miri_Ofir and @Ido_Shoshana 

we have no network issue between SIEM and log server : 2 servers on  seperate Vlan routed on the same core DC. just 1 hop. No FW. 

It 's a new issue because this is the first time we set up log-exporter.

The SIEM is based on a Red Hat Enterprise Linux release 8.3 + Logstash 7.14.2 for logs collection

Hi @big

Do you know if you have an option to configure on the SIEM to close abounded connections on it's own after certain TTL?

Log Exporter opens a new connection only in case of existing connection is failing, if you are sure the I/S is good and the Syslog server is configured properly, I suggest to work with our support to troubleshoot the problem.