This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Networks_Team_B
Participant
‎2021-07-14 05:56 AM

R80.40 cp_log_export filter based on origin

Hello all,

Thanks for any help in advanced

We are trying to export log files to Azure Sentinel using  cp_log_export utility which appear to be working until we add filtering based on origin. When running tcpdump with the filter we only see a handful of packet then nothing but when removing the origin filter we appear to be getting thousands of alerts passing through. I am trying to run the cp_log_export on the log server that is setup under the gateway (cp_info is shown below around the HFA applied)

I have tried both the cp_log_export switch "filter-origin-in" and modifying "FilterConfiguration.xml" but when added no logs appear to be exported into Azure Sentinel and tcpdump shows no traffic after filtering based on origin. 

 

Logs show the following origin within Smartconsole:

Blade: Firewall
Origin: fw-hq-cluster2
Service: TCP/80
Product Family: Access
Logid: 0
Access Rule Name: Clean Up Rule
Access Rule Number: 156

Filtering configuration to shows but we not appear to see any logs or syslogs sent. I am wondering if i am filter based on the value? 

more FilterConfiguration.xml
<filters>
<filterGroup operator="and">
<field name="action" operator="and">
</field>
<field name="origin" operator="or">
<value operation="eq">fw-hq-cluster1</value>
<value operation="eq">fw-hq-cluster2</value>
</field>
<field name="product" operator="or">
<value operation="eq">Anti-Bot</value>
<value operation="eq">Anti Malware</value>
<value operation="eq">Threat Emulation</value>
<value operation="eq">IPS</value>
<value operation="eq">IPS-1</value>
<value operation="eq">SmartDefense</value>
<value operation="eq">MTA</value>
<value operation="eq">Anti-Virus</value>
<value operation="eq">New Anti Virus</value>
<value operation="eq">Anti Virus</value>
<value operation="eq">Anti-Spam and Email Security</value>
<value operation="eq">Threat Extraction</value>
<value operation="eq">MTA</value>
</field>
</filterGroup>
</filters>

 

 

cpinfo -y all

This is Check Point CPinfo Build 914000215 for GAIA
[IDA]
No hotfixes..

[MGMT]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 94

[CPFC]
No hotfixes..

[FW1]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 94
HOTFIX_GOT_TPCONF_MGMT_AUTOUPDATE

FW1 build number:
This is Check Point Security Management Server R80.40 - Build 037
This is Check Point's software version R80.40 - Build 118

[SecurePlatform]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 94

[CPinfo]
No hotfixes..

[AutoUpdater]
No hotfixes..

[Reporting Module]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 94

[CPuepm]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 94

[VSEC]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 94

[SmartLog]
HOTFIX_R80_40_JUMBO_HF_MAIN Take: 94

[R7520CMP]
No hotfixes..

[R7540CMP]
No hotfixes..

[R76CMP]
No hotfixes..

[SFWR77CMP]
No hotfixes..

[SFWR80CMP]
HOTFIX_R80_40_JHF_COMP Take: 94

[R77CMP]
HOTFIX_R80_40_JHF_COMP Take: 94

[R75CMP]
No hotfixes..

[NGXCMP]
No hotfixes..

[SFWCMP]
No hotfixes..

[FLICMP]
No hotfixes..

[SFWR75CMP]
No hotfixes..

[MGMTAPI]
No hotfixes..

[CPDepInst]
No hotfixes..

[CPUpdates]
BUNDLE_R80_40_JUMBO_HF_MAIN Take: 94
BUNDLE_HCP_AUTOUPDATE Take: 29
BUNDLE_GOT_TPCONF_MGMT_AUTOUPDATE Take: 32
BUNDLE_INFRA_AUTOUPDATE Take: 44
BUNDLE_DC_INFRA_AUTOUPDATE Take: 26
BUNDLE_DEP_INSTALLER_AUTOUPDATE Take: 23

[hcp_wrapper]
HOTFIX_HCP_AUTOUPDATE

[DIAG]
No hotfixes..

 

 

 

tail /opt/CPrt-R80.40/log_exporter/targets/AZ-SEN/log/log_indexer.elg
[14 Jul 13:27:13] LogsFormater::Process Log Skipped
[14 Jul 13:27:13] LogsFormater::Process Log Skipped
[14 Jul 13:27:13] LogsFormater::Process Log Skipped
[14 Jul 13:27:13] LogsFormater::Process Log Skipped
[14 Jul 13:27:13] LogsFormater::Process Log Skipped
[14 Jul 13:27:13] LogsFormater::Process Log Skipped
[14 Jul 13:27:13] LogsFormater::Process Log Skipped
[14 Jul 13:27:13] LogsFormater::Process Log Skipped
[14 Jul 13:27:13] LogsFormater::Process Log Skipped
[14 Jul 13:27:13] LogsFormater::Process Log Skipped  

 

0 Kudos
3 Replies
Eduardo_Eiros
Contributor
‎2021-07-14 11:31 AM

Hi

I remember facing this problem. I think you should use GW´s main ip (as it appears in GWs and Server view) and not the names.

BR

0 Kudos
Networks_Team_B
Participant
‎2021-07-14 09:49 PM
In response to Eduardo_Eiros

I will try this and let you know how it goes, 

How would i filter based on the VSX VS if only based on IP address? 

Thanks

0 Kudos
Networks_Team_B
Participant
‎2021-07-16 05:40 AM
In response to Networks_Team_B

Filter based on the IP and worked but not sure what to do for filter based on VSX machines? 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events