This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RafaelSantiago
Participant
4 weeks ago
Jump to solution

Using rule_uid filter in log search

Hi all,

I've been building a script that uses Management API to gather some information regarding logs.

I was trying to use the filter rule_uid, to just see logs regarding one specific rule, but no matter what uid I use, I never get results. I can just search for the UID of the rule with no key information, and it looks like only logs from that rule appear, however I would feel more confident if I could use a key:value filter to guarantee that I only get the logs I require (I attached photos of the filter results in the post).


I know about the rule:<number of rule> filter, but I have multiple policies, so multiple rules number 1, 2, 3 etc... I could match that with the origin or something like that, but my life would be a lot easier if the filter rule_uid just worked.

Am I using the filter correctly? Anyone else knows of a key:value filter that would give me all logs of a specific rule, and that doesn't rely on repeatable values, like rule number or rule name?

Regards,

Rafael Santiago

Labels
Preview file
48 KB
Preview file
111 KB
0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Platinum
MVP Platinum
4 weeks ago
In response to RafaelSantiago
Jump to solution

I think I got it...see below. Its a bit odd, since that field is NOT listed in log search options in smart console.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topi...

layer_uuid_rule_uuid:(*_b4df506d-1437-4248-958a-7c6f80dd91a3)

 

Best,
Andy

View solution in original post

Preview file
168 KB
6 Replies
the_rock
MVP Platinum
MVP Platinum
4 weeks ago
Jump to solution

Im fairly sure it only works with UID itself, not rule_uid: flag, but I could be mistaken. Let me play around with it in the lab and will update you.

Best,
Andy
RafaelSantiago
Participant
4 weeks ago
In response to the_rock
Jump to solution

You might be right. It is weird that we would have a rule_uid filter that doesn´t work though, even though it is hidden under the Other fields option. Perhaps a leftover from previous versions.

Either way thank you for testing. 

Regards,

Rafael Santiago

the_rock
MVP Platinum
MVP Platinum
4 weeks ago
In response to RafaelSantiago
Jump to solution

I think I got it...see below. Its a bit odd, since that field is NOT listed in log search options in smart console.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topi...

layer_uuid_rule_uuid:(*_b4df506d-1437-4248-958a-7c6f80dd91a3)

 

Best,
Andy
Preview file
168 KB
RafaelSantiago
Participant
4 weeks ago
In response to the_rock
Jump to solution

Perfect, it also works on my end.

The filter they show doesn't work but this hidden filter does 😅.

Thanks for the help!

Regards,

Rafael Santiago

the_rock
MVP Platinum
MVP Platinum
4 weeks ago
In response to RafaelSantiago
Jump to solution

If you want me to test anything else in the lab, please let me know. I have really good R82 lab that manages both R82 and R81.20 clusters, as well as dedicated R82 smart event server, so its super convenient for any testing.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
4 weeks ago
In response to RafaelSantiago
Jump to solution

of course mate! We all work as a team to find the solution, happy we can help.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events