I have log exporter set up to export logs via syslog in CEF format. I'm noticing that a lot of the IPS logs are often missing fields, mainly the destination IP and ports. I've verified that these fields are listed in the conf files and not being blocked from being exported. I've pasted a couple of examples below. This for R80.20, and wondering if anyone else has seen this, or if this is normal and if so, any ideas as to why?
Examples:
"CEF:0|Check Point|SmartDefense|Check Point|IPS|Command Injection Over HTTP|Very-High|cp_severity=Very-High cs2Label=Protection ID cs2=asm_dynamic_prop_CMD_INJECTION cs3Label=Protection Type cs3=IPS cs4Label=Protection Name cs4=Command Injection Over HTTP deviceDirection=0 flexNumber1Label=Confidence flexNumber1=3 flexNumber2Label=Performance Impact flexNumber2=3 flexString2Label=Attack Information flexString2=Command Injection Over HTTP msg=Web Server Enforcement Violation rt=1553065375000 loguid={0x5c91e59f,0x1c,0x1520d30a,0xc000000a} origin=0.0.0.0 originsicname=CN\=ABCDEF,O\=myname.com sequencenum=1777 version=5 description_url=CMD_INJECTION_help.html product=SmartDefense smartdefense_profile=g_Production_and_QA_DEV_IPS src=120.27.248.226"
"CEF:0|Check Point|SmartDefense|Check Point|anomaly|Non Compliant DNS|Very-High|act=Drop cp_severity=Very-High cnt=22 cs2Label=Protection ID cs2=DnsProtocolEnforcement cs3Label=Protection Type cs3=anomaly cs4Label=Protection Name cs4=Non Compliant DNS deviceDirection=0 flexNumber1Label=Confidence flexNumber1=3 flexNumber2Label=Performance Impact flexNumber2=2 flexString2Label=Attack Information flexString2=Illegal number of Resource Records msg=Non Compliant DNS rt=1553138597000 ifname=lo loguid={0x0,0x0,0x0,0x0} origin=10.211.32.21 originsicname=CN\=ABCDEF,O\=myname.com sequencenum=276 version=5 product=SmartDefense rule=554 rule_name=4.551_._._OPEN-RULE-BAD rule_uid=c2ea1bf4-908d-4905-acf4-e8349562478b smartdefense_profile=g_Production_and_QA_DEV_IPS_79ca84b7e1848eb9 sub_policy_name=Production_Global Security sub_policy_uid=9b1c034b-b8a9-4dda-95ec-919ea0a79097 summary=Detected 22 events associated with the following attack: Attack name: Non Compliant DNS Attack data: Illegal number of Resource Records Packet Info: DNS query length 570 exceeds the allowed length 512 See sk73240 for more information."
"CEF:0|Check Point|SmartDefense|Check Point|IPS|Brute Force Scanning of CIFS Ports|Medium|cp_severity=Medium cs2Label=Protection ID cs2=asm_dynamic_prop_CIFS_BF_PORT_SCAN cs3Label=Protection Type cs3=IPS cs4Label=Protection Name cs4=Brute Force Scanning of CIFS Ports deviceDirection=0 flexNumber1Label=Confidence flexNumber1=1 flexNumber2Label=Performance Impact flexNumber2=2 flexString2Label=Attack Information flexString2=Brute Force scanning of CIFS ports msg=Windows SMB Protection Violation rt=1553043683000 loguid={0x5c9190e3,0xe,0x3e20d30a,0xc000000a} origin=0.0.0.0 originsicname=CN\=ABCDEF,O\=namegoeshere.dev.com55k sequencenum=229 version=5 description_url=CIFS_BF_PORT_SCAN_help.html product=SmartDefense smartdefense_profile=g_Production_and_QA_DEV_IPS src=10.211.68.109"