Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ob1lan
Contributor

Mobile Access blade logs not imported in SIEM

Hi,

I am working on integrating checkpoint logs via log exporter(syslog) and detected that we are not receiving logs from “ Mobile Access” blade. I would like to have these logs in my SIEM.

We made this changes in FilterConfiguration.xml file but couldn’t succeed. Help in this context is highly appreciated :   

<filters>

        <filterGroup operator="and">

                <field name="action" operator="and">

                </field>

                <field name="origin" operator="or">

                </field>

<field name="product-family" operator="or">

                              <value operation="eq">TP</value>

                              <value operation="eq">Access</value>

                             <value operation="eq">Mobile</value>

                             <value operation="eq">EndPoint</value>

                </field>

                <field name="product" operator="or">

                              <value operation="eq">SmartDefense</value>

                              <value operation="eq">Security Gateway/Management</value>

                            <value operation="eq">VPN-1 & FireWall-1</value>

                             <value operation="eq">Mobile Access</value>

                             <value operation="eq">Firewall</value>

                             <value operation="eq">Identity Awareness</value>

                </field>

        </filterGroup>

</filters>

 

Best regards,

 

Antoine

0 Kudos
3 Replies
Dror_Aharony
Employee
Employee

Hi Antoine,

You need to remove the entire product-family section (it's not supported like this. Only via the product field), or simply use the built-in filter-blade-in: "Access,TP,Mobile,EndPoint"

like this: cp_log_export set name <X> filter-blade-in "Access,TP,Mobile,EndPoint"

The upper command will translate to all these blades/products below & you can remove any one you don't need exported.

Restart log-exporter: cp_log_export restart name <X>


<field name="product" operator="or">
<value operation="eq">Security Gateway/Management</value>
<value operation="eq">VPN-1 & FireWall-1</value>
<value operation="eq">Firewall</value>
<value operation="eq">Application Control</value>
<value operation="eq">URL Filtering</value>
<value operation="eq">Content Awareness</value>
<value operation="eq">Connectra</value>
<value operation="eq">Mobile Access</value>
<value operation="eq">Compliance blade</value>
<value operation="eq">Core</value>
<value operation="eq">DDoS Protector</value>
<value operation="eq">Identity Awareness</value>
<value operation="eq">Identity Logging</value>
<value operation="eq">UA WebAccess</value>
<value operation="eq">Anti-Bot</value>
<value operation="eq">Anti Malware</value>
<value operation="eq">Threat Emulation</value>
<value operation="eq">IPS</value>
<value operation="eq">IPS-1</value>
<value operation="eq">SmartDefense</value>
<value operation="eq">MTA</value>
<value operation="eq">Anti-Virus</value>
<value operation="eq">New Anti Virus</value>
<value operation="eq">Anti Virus</value>
<value operation="eq">Anti-Spam and Email Security</value>
<value operation="eq">Threat Extraction</value>
<value operation="eq">MTA</value>
<value operation="eq">WIFI Network</value>
<value operation="eq">Mobile App</value>
<value operation="eq">OS Exploits</value>
<value operation="eq">Device</value>
<value operation="eq">Network Security</value>
<value operation="eq">Cellular Network</value>
<value operation="eq">Network Access</value>
<value operation="eq">iOS Profiles</value>
<value operation="eq">Text Message</value>
<value operation="eq">On-device Network Protection</value>
<value operation="eq">Endpoint</value>
</field>

Ob1lan
Contributor

Hi, 

Thanks for your reply. Now the SIEM team is receiving logs, but they are missing an important information : the username for the log entry.

In SmartConsole, we see all information for the entry, including the username. However, the exported log seems to be missing that information.

Is there some kind of anonymization that occurs while exporting the logs to a SIEM ? Can we control that to make sure it's exported as well ?

Thanks in advance.

Regards,

Antoine

0 Kudos
Ob1lan
Contributor

Anybody knows if that's normal behavior from the collector, or if we can control whether usernames are included in the exported logs ?

Thanks !

0 Kudos