Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kosin_Usuwanthi
Collaborator

Log exporter not summary logging to one event

I'm not sure why the log separate to 4 event not summary to one event. But from smart console I can see all detail in single page.

1.CheckPoint - [action:"Prevent"; flags:"280832"; ifdir:"inbound"; ifname:"bond30.156"; loguid:"{0x5b691e76,0xf,0x670111ac,0xc0000017}"; origin:"XX"; originsicname:"XX,O=XX"; sequencenum:"282"; time:"1533615734"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={2DB996A2-E1A3-A14C-84EA-8F3D716B0D7B};mgmt=XX;date=1533271919;policy_name=Unified_Policy\]"; dst:"XX.XX.XX.XX"; log_id:"2"; malware_rule_id:"{D99A6D5D-8BAE-40F8-B35A-5D6C1CFBDFE7}"; policy:"Unified_Policy"; policy_time:"1533297083"; product:"SmartDefense"; proto:"17"; rule_name:"Allow Untrust - Custom"; rule_uid:"c25fc1f6-41f4-4279-9e13-aa32e1aecbc9"; s_port:"60229"; service:"53413"; session_id:"{0x5b691e76,0xf,0x670111ac,0xc0000017}"; smartdefense_profile:"Optimized (Clone)"; src:"185.234.217.134"; layer_uuid:"{C17851E7-374F-4024-892C-82868FDA31F7}"; malware_rule_id:"{D99A6D5D-8BAE-40F8-B35A-5D6C1CFBDFE7}"; smartdefense_profile:"Optimized"; ]

2. CheckPoint - [action:"Accept"; flags:"417028"; ifdir:"inbound"; ifname:"bond30.156"; logid:"0"; loguid:"{0x5b691e76,0xe,0x670111ac,0xc0000017}"; origin:"XX"; originsicname:"CN=XX,O=XX"; sequencenum:"284"; time:"1533615734"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={2DB996A2-E1A3-A14C-84EA-8F3D716B0D7B};mgmt=XX;date=1533271919;policy_name=Unified_Policy\]"; dst:"XX.XX.XX.XX"; inzone:"External"; layer_name:"Unified_Policy Network Rule"; layer_uuid:"261a755f-b462-4f95-9194-be1d76d9839c"; match_id:"197"; parent_rule:"0"; rule_action:"Accept"; rule_name:"Allow Untrust - Custom"; rule_uid:"c25fc1f6-41f4-4279-9e13-aa32e1aecbc9"; outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"60229"; service:"53413"; service_id:"udp-high-ports"; src:"185.234.217.134"; ]

3.CheckPoint - [flags:"147456"; ifdir:"inbound"; loguid:"{0x5b691e76,0xf,0x670111ac,0xc0000017}"; origin:"XX; originsicname:"CN=XX,O=XX"; sequencenum:"286"; time:"1533615734"; version:"5"; attack:"Security Products Enforcement Violation"; attack_info:"Netis/Netcore Router Hard-Coded Backdoor"; confidence_level:"5"; description_url:"NETIS_R_help.html"; performance_impact:"3"; product:"SmartDefense"; protection_id:"asm_dynamic_prop_NETIS_R"; protection_name:"Netis/Netcore Router Hard-Coded Backdoor"; protection_type:"IPS"; severity:"3"; smartdefense_profile:"Optimized"; src:"185.234.217.134"; ]

4. CheckPoint - [flags:"18688"; ifdir:"inbound"; loguid:"{0x5b691e76,0xf,0x670111ac,0xc0000017}"; origin:"XX"; originsicname:"CN=XX,O=XX"; sequencenum:"288"; time:"1533615734"; version:"5"; log_id:"2"; packet_capture_name:"src-185.234.217.134.eml"; packet_capture_time:"1533615734"; packet_capture_unique_id:"185.234.217.134_maildir_sent_new_time1533615734.mail-895411386-1818202990.localhost"; product:"SmartDefense"; ]

4 Replies
Yonatan_Philip
Employee Alumnus
Employee Alumnus

Hello Kosin,

This is actually the other way around.

Those are 4 distinct logs generated by the GW (one original log plus three updates which all share the same loguid) that are combined into one unified view in the GUI.

We are actually planning to address this via a mode we are introducing called semi-unified mode which I discussed in some more details at https://community.checkpoint.com/thread/7248-log-exporter-guide#comment-24572 .

HTH

 Yonatan 

Hrvoje_Brlek
Collaborator

Hi,

I am exporting logs to Splunk with semi-unified mode on, but we are getting all the logs not only the suppressed ones.

For example for one loguid we are getting 4 different logs. 

Would be very helpful if it is possible just to export the last summarized event... or better say for one loguid only one final log event...

 

Thanks

0 Kudos
Dan_Zada
Employee Alumnus
Employee Alumnus

Hi,

When using semi unified mode, it does not mean that you will have only one log. It means that in each log, you will get all the data we have about it unified and aggregated.

If a new update will arrive, then the log exporter will export the log again with the new data.

In our new App for Splunk, we developed the queries in such way that will show and count only the latest one (you can take it as an example).

 

Thanks!

Dan.

0 Kudos
Hrvoje_Brlek
Collaborator

OK, thanks, I understand. In that case we will setup a rule (policy) on the Splunk side to show only the latest log.

Regards,

Hrvoje

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events