Solved: Re: Management audit logs with Log Exporter

Emil_T · ‎2025-04-30

The scenario:

Log exporter is configured on a management server.

There is no Log Server/Multi-Domain Log Module in place (https://support.checkpoint.com/results/sk/sk173244)

Mngt> show syslog all
Syslog Parameters:
Remote Address 10.10.5.5
Levels none
Port 514
Protocol udp
Auditlog permanent
Destination Log Filename /var/log/messages

[Expert@Mngt:0]# cp_log export show

name: SIEMLogExporter
enabled: true
target-server: 10.10.5.5
target-port: 514
protocol: udp
format: leef
read-mode: semi-unified
export-attachment-ids: false
export-link: false
export-attachment-link: false
time-in-milli: false
export-log-position: false
reconnect-interval: Not configured, using default

[Expert@Mngt-Pri:0]#

https://support.checkpoint.com/results/sk/sk122323

https://sc1.checkpoint.com/documents/Log_Exporter/EN/Content/Topics/Advanced-Configuration.htm?Highl...

As articulated in the documentation:

1. Log Exporter supports:

Log Types: The ability to export Security logs, Audit logs, or both.
Note: Audit logs exist on both the Management Server and the Log Server.

2.

<log_types></log_types>

Determines which logs to export based on their type

all (default)
log
audit

Issue:

The SIEM team claims that no audit logs are arriving at the SIEM.

Question:
Which troubleshoot measures can be undertaken on the Management side to ascertain the root of this apparent omission or to prove otherwise?

Thx!

Amir_Senn · ‎2025-05-04

Check the "FetchedFiles" file under your exporter directory.

It tracks which log files are being exported.

If you see <file_name>.adtlog - audit logs are being exported via log exporter and the issue could be on the SIEM side.

fw.adtlog - the latest and ongoing log file.

Kind regards, Amir Senn

View solution in original post

the_rock · ‎2025-04-30

We are doing this for few customers and we definitely see audit logs in siem. I will check with one of my colleagues to see if anything special is required.

Andy

the_rock · ‎2025-04-30

Had a call with one my colleagues and he told me they can see audit logs in our siem. Maybe check below file (just check right path on your mgmt). There are some audit log settings there.

Andy

[Expert@CP-MANAGEMENT:0]# vi targetConfiguration.xml
[Expert@CP-MANAGEMENT:0]# vi targetConfiguration.xml
[Expert@CP-MANAGEMENT:0]# vi targetConfiguration.xml
[Expert@CP-MANAGEMENT:0]# pwd
/opt/CPrt-R82/log_exporter/targets/test-log
[Expert@CP-MANAGEMENT:0]#

Emil_T · ‎2025-04-30

Thx for the reply

The only thing in this file related to audit is this:
<log_types></log_types> <!-- all[default] |log|audit/ -- >

the_rock · ‎2025-04-30

That looks correct. I would check siem side.

Andy

Lesley · ‎2025-04-30

Maybe make capture to see if data is folowing.

tcpdump -nni any host 10.5.5.5 port 514

tcpdump -nn -w capture-log.pcap -i any host 10.5.5.5

-------
If you like this post please give a thumbs up(kudo)! 🙂

Emil_T · ‎2025-05-22

Additionally, I executed this command and inspected the payload in the pcap capture. I confirmed that the audit logs are indeed being transmitted from the firewall as expected.

LEEF:2.0|Check Point|SmartConsole|1.0|Accept|devTime=1747889797 src=10.5.5.5 emailSubject=Object Manipulation cat=SmartConsole action=Accept ifdir=outbound loguid={0x682eae87,0x46,0xfa01050a,0x13bda70e} origin=10.5.5.5 originsicname=cn\=cp_mgmt,o\=ng-fw..d3ba3n sequencenum=1 version=5 administrator=emil advanced_changes= fieldschanges=Name: Changed from 'Ahemed_WS' to 'Ahemed_WS-10.14.4.4' ip_address=10.14.4.4logic_changes=Name: Changed from 'Ahemed_WS' to 'Ahemed_WS-10.14.4.4' objectname=Ahemed_WS-10.14.4.4objecttype=Host operation=Modify Object sendtotrackerasadvancedauditlog=0 session_description=audit check session_name=emil_@22/05/2025 session_uid=f34faba5-16d9-4150-af56-6d95cb03161c uid=5e932b98-7136-4a28-a843-3629bffe92c6

PhoneBoy · ‎2025-04-30

First, let's see if you've actually configured anything in Log Exporter by providing the output of cp_log_export show (expert mode command) or showing the relevant screenshot in SmartConsole showing the configuration.
You can redact any sensitive details.

Emil_T · ‎2025-04-30

I added it to the original post

the_rock · ‎2025-04-30

I checked this for one client where we forward logs to siem and it looks literally the same as config you pasted.

Andy

the_rock · ‎2025-05-01

To add to command @Lesley provided, you can also do fw monitor -F flag

example below:

fw monitor -F "srcIP,srcport,dstIP,dstport,protocol" -F "srcIP,srcport,dstIP,dstport,protocol"

Now, you dont need to do second -F flag if you only care to see outgoing traffic, but here is good example for say port 4434

fw monitor -F "1.1.1.1,0,2.2.2.2,4434,0" -F "2.2.2.2,0,1.1.1.1,4434,0" -o /var/log/fwmonitortest.cap

Amir_Senn · ‎2025-05-04

Check the "FetchedFiles" file under your exporter directory.

It tracks which log files are being exported.

If you see <file_name>.adtlog - audit logs are being exported via log exporter and the issue could be on the SIEM side.

fw.adtlog - the latest and ongoing log file.

Kind regards, Amir Senn

florence · ‎2025-07-21

How can we see the fetchedfiles?

name: QRadar domain-server: : DLS01
      enabled: true
      target-server: 10.20.252.158
      target-port: 514
      protocol: udp
      format: leef
      read-mode: semi-unified
      export-attachment-ids: false
      export-link: false
      export-attachment-link: false
      time-in-milli: false
      export-log-position: false
      skip-failed-logs: Not configured, using default
      reconnect-interval: Not configured, using default

I did a packet capture and change the name of this object but we cannot see any log

[Expert@MDLS01:0]# tcpdump -vvv -A -nni any host 10.20.252.158 | grep 00SS26
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

^C4065776 packets captured
4065912 packets received by filter
0 packets dropped by kernel

Emil_T · ‎2025-07-21

[Expert@Mngt-Pri:0]#
[Expert@Mngt-Pri:0]# cd $EXPORTERDIR
[Expert@Mngt-Pri:0]# pwd
/opt/CPrt-R81.20/log_exporter
[Expert@Mngt-Pri:0]#
[Expert@Mngt-Pri:0]# ll
total 16948
drwxr-x--- 2 admin bin 4096 Oct 9 2023 conf
-rwxr-x--- 1 admin root 17305216 Nov 12 2024 log_exporter
-rw-r----- 1 admin bin 10909 Nov 16 2022 openssl.cnf
drwxrwx--- 3 admin root 4096 Oct 9 2024 targets
drwxr-x--- 2 admin bin 4096 Nov 12 2024 upgrade
[Expert@Mngt-Pri:0]#
[Expert@Mngt-Pri:0]# ll -h
total 17M
drwxr-x--- 2 admin bin 4.0K Oct 9 2023 conf
-rwxr-x--- 1 admin root 17M Nov 12 2024 log_exporter
-rw-r----- 1 admin bin 11K Nov 16 2022 openssl.cnf
drwxrwx--- 3 admin root 4.0K Oct 9 2024 targets
drwxr-x--- 2 admin bin 4.0K Nov 12 2024 upgrade
[Expert@Mngt-Pri:0]# cd targets/
[Expert@Mngt-Pri:0]#
[Expert@Mngt-Pri:0]# ll -h
total 4.0K
drwxrwx--- 6 admin root 4.0K Oct 9 2024 SIEMLogExporter
[Expert@Mngt-Pri:0]#
[Expert@Mngt-Pri:0]# cd SIEMLogExporter/
[Expert@Mngt-Pri:0]#
[Expert@Mngt-Pri:0]# ll -h
total 28K
drwxr-x--- 2 admin root 4.0K Oct 9 2024 conf
drwx------ 3 admin root 4.0K Jul 21 23:25 data
-rw-r----- 1 admin root 1.4K Oct 9 2024 fieldsMapping.xml
drwxrwx--- 2 admin root 4.0K Jul 21 22:25 log
lrwxrwxrwx 1 admin root 42 Oct 9 2024 log_exporter -> /opt/CPrt-R81.20/log_exporter/log_exporter
-rw-rw---- 1 admin root 4 Oct 9 2024 log_indexer_custom_settings.conf
-rw-r----- 1 admin root 3.7K Oct 9 2024 targetConfiguration.xml
drwxrwx--- 2 admin root 4.0K Oct 9 2024 tmp
[Expert@Mngt-Pri:0]#
[Expert@Mngt-Pri:0]# cd data/
[Expert@Mngt-Pri:0]#
[Expert@Mngt-Pri:0]# ll -h
total 72K
-rw-rw---- 1 admin root 62K Jul 21 23:25 FetchedFiles
drwx------ 2 admin root 4.0K Oct 9 2024 users_settings
[Expert@Mngt-Pri:0]#
[Expert@Mngt-Pri:0]# tail -f FetchedFiles
873 9 127.0.0.1 21 2025-07-19_000000.log 1752842936 1 8946970 0 0 3
874 9 127.0.0.1 24 2025-07-19_160506_56.log 1752872401 1 17584375 0 0 3
875 9 127.0.0.1 24 2025-07-20_000000.adtlog 1752872401 0 4294967295 1 0 2 0 0 76 3
876 9 127.0.0.1 21 2025-07-20_000000.log 1752930307 1 8465251 0 0 3
877 9 127.0.0.1 24 2025-07-20_133938_57.log 1752958801 1 17313946 0 0 3
878 9 127.0.0.1 24 2025-07-21_000000.adtlog 1752958801 0 4294967295 1 0 2 0 0 102 3
879 9 127.0.0.1 21 2025-07-21_000000.log 1753007980 1 11976479 0 0 3
880 9 127.0.0.1 24 2025-07-21_144624_58.log 1753045202 1 17456737 0 0 3
881 9 127.0.0.1 9 fw.adtlog 1753045202 0 4294967295 1 0 2 0 0 84 3
882 9 127.0.0.1 6 fw.log 1753098386 0 4294967295 1 0 2 0 0 9939354

^C
[Expert@Mngt-Pri:0]#

the_rock · ‎2025-07-21

Just checked my lab, looks about the same.

Andy

[Expert@CP-MANAGEMENT:0]# pwd
/opt/CPrt-R82/log_exporter/targets/test-log/data
[Expert@CP-MANAGEMENT:0]# more FetchedFiles
22 serialization::archive 19 0 0 0 0 12 1 0 1 3 1 0
0 9 127.0.0.1 24 2025-07-17_000000.adtlog 1752638400 1 135 0 0 0 0 3
1 9 127.0.0.1 21 2025-07-17_000000.log 1752638400 1 58199 0 0 3
2 9 127.0.0.1 21 2025-07-18_000000.log 1752724800 1 54225 0 0 3
3 9 127.0.0.1 24 2025-07-18_000000.adtlog 1752724800 1 159 0 0 3
4 9 127.0.0.1 24 2025-07-19_000000.adtlog 1752811200 1 146 0 0 3
5 9 127.0.0.1 21 2025-07-19_000000.log 1752811200 1 53531 0 0 3
6 9 127.0.0.1 21 2025-07-20_000000.log 1752897600 1 50341 0 0 3
7 9 127.0.0.1 24 2025-07-20_000000.adtlog 1752897600 1 140 0 0 3
8 9 127.0.0.1 24 2025-07-21_000000.adtlog 1752984000 1 158 0 0 3
9 9 127.0.0.1 21 2025-07-21_000000.log 1752984000 1 49662 0 0 3
10 9 127.0.0.1 6 fw.log 1753070400 0 4294967295 1 0 2 0 0 37492 3
11 9 127.0.0.1 9 fw.adtlog 1753070400 0 4294967295 1 0 2 0 0 119
[Expert@CP-MANAGEMENT:0]#

Are you a member of CheckMates?

Management audit logs with Log Exporter