This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MIchalCzapnik
Explorer
‎2021-01-14 02:10 AM

Log_exporter > splunk - empty logs

Hello All,

I was wondering if anyone could help me here. I'm using log_exporter to provide logs to SPLUNK. 

r80.20 t188

I created a syntax: 

cp_log_export add name SPLUNK target-server 10.10.10.11 target-port 514 protocol udp format splunk read-mode semi-unified

restarted log_exporter - pid created

But on Splunk and on wireshark i see that all the logs have is and quite a lot of them: 

1/14/21
10:52:29.000 AM
Jan 14 10:52:29 10.100.10.10 Thu Jan 14 10:52:28 CheckPoint Syslog started
host = 10.10.10.10

On Splunk i have add-on for CP log_export and port udp 514 open. 

I tired to reinstall log_export, but looks like it is possible only with uninstalling hole hot fix with cpuse and rm -rf $EXPORTERDIR

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

After reboot i installed back the hotfix but then cp_log_export was not working as it was lacking file:

fieldsMapping.xml

I installed fresh image of r80.20mgt on different vm and copied fieldsMapping.xml to my device. It worked, but still there is the same situation. Logs are being sent only about  CheckPoint Syslog started

I can view the logs just fine in the SmartConsole. 

Is there something else that i'm missing?

 

0 Kudos
1 Reply
MIchalCzapnik
Explorer
‎2021-01-15 03:51 PM

Fixed

After doing Wireshark and confirming that the logs do not have any more data than above, I checked the logs from /opt/CPrt-R80.20/log_exporter/targets/TARGET/log/log_indexer.elg and it said that it couldn't locate log_indexer_settings.conf. I set up a seperate VM machine and compared files created. Looks like after rm -rf $EXPORTERDIR and reinstalling/installing hot fixes the log_exprorer directory is not being created with enough files. 

 

What missing was:

- /opt/CPrt-R80.20/log_exporter/fieldsMapping.xml

-files from /opt/CPrt-R80.20/log_exporter/conf

Bookmarks.xml
CefFieldsMapping.xml
CefFormatDefinition.xml
GenericFieldsMapping.xml
fields-enums.xml
GenericFormatDefinition.xml
filter_tree.xml
ip2country.csv
log_fields.C
LogFamilyFields.xml
log_indexer_settings.conf
LogFields.xml
smartlog_unification_scheme.C
tmp_FastEvent_log_fields.C

 

I also located the log_indexer_settings.conf on dir. /opt/CPrt-R80.20/log_indexer/conf/log_indexer_settings.conf  
After coping that to /opt/CPrt-R80.20/log_exporter/conf and recreating export i started to get full logs.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events