This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
S_E_
Advisor
‎2023-02-03 10:40 PM
Jump to solution

cp_log_export origin DNS

Hi,

cp_log_export on MDS R81.10 runs fine. Multiple instances and destinations based on customer.

However, just recognized that the 'origin' in the external logging system appears with IP address instead of hostname or FQDN.

Looking on the MDS log inside a certain domain with the command 'fw log', the hostname of the gateways is visible. So my assumption was that this hostname should also be visible as origin. 

I could not find the correct filter/parameter in sk122323 .

b.t.w. The hostnames of the MDS's appear properly.

Any ideas ?

Thanks

Best Regards

 

 

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-02-06 07:51 AM
In response to S_E_
Jump to solution

Origin is logged as an IP address, not a name.
Which means that’s exactly how Log Exporter will see and export that field.
In fw log and in SmartView, the origin IP is getting resolved automatically to a name when viewed.
What you’re asking for is very likely an RFE.

View solution in original post

0 Kudos
10 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-02-04 12:43 AM
Jump to solution

For reference log field descriptions are detailed in sk144192.

CCSM R77/R80/ELITE
0 Kudos
S_E_
Advisor
‎2023-02-04 01:38 AM
In response to Chris_Atkinson
Jump to solution

Hi,

the desired fields are in sk144192. But they can't be edited.

Configuration files

You can get the information about the log fields in one of these files (do not edit them) on your Management Server:

  • $RTDIR/log_indexer/conf/LogFields.xml
  • $RTDIR/log_exporter/conf/LogFields.xml
    • origin Orig string Name of the first Security Gateway that reported this event Yes
    • origin_ip N/A ipaddr IP address of the Security Gateway that generated this log Yes

 

 

Or does it mean it will be send out by the cp_log_exporter tool and the destination logging tool does not interpret it or in a wrong manner ?

Best Regards

Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2023-02-04 01:55 AM
In response to S_E_
Jump to solution

What is the far end and what log format are you currently sending?

Some will have a specific parser or may require field mapping changes to achieve.

CCSM R77/R80/ELITE
0 Kudos
S_E_
Advisor
‎2023-02-04 02:53 AM
In response to Chris_Atkinson
Jump to solution

Hi,

not exactly sure what the underlying technology of the data-lake is (remote side).

CEF is the desired protocol of the datalake-team.

 

name: LOG1 domain-server: : DOM1
enabled: true
target-server: x.x.x.x
target-port: xxx
protocol: tcp
format: cef
read-mode: raw
export-attachment-ids: false
export-link: false
export-attachment-link: false

 

At the end I try to understand if CheckPoint sends the hostname.

Or if there is a parser issue on the remote side.

Thanks

Regards

Joseph_Audet
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2023-02-04 07:16 AM
In response to S_E_
Jump to solution

Looking at my lab splunk environment (using SPLUNK format) here is a log I received. The origin is the main IP of the GW as listed in smart console. You could use the originsicname field for the GW name. Could also if you wanted parse it with a regex pattern, but depending on volume may add an extra bit of CPU to your log environment that may not be acceptable.

time=1645103318|hostname=mgmt-sa1|product=Firewall|layer_name=IOC_Feed_Demo Network|layer_uuid=5436dd02-2df2-4abe-91f8-220f056dd955|match_id=2|parent_rule=0|rule_action=Accept|rule_name=Cleanup rule|rule_uid=528be73c-6137-499c-8453-671e8d3f6824|action=Accept|conn_direction=Incoming|contextnum=1|ifdir=inbound|ifname=eth0|logid=0|loguid={0x19ff6cb,0xc27fc781,0x536635ef,0x4723901c}|origin=192.168.50.130|originsicname=CN\=DEMOGW3,O\=mgmt-sa1.lab.joeaudet.com.3cphmg|sequencenum=1|time=1645103318|version=5|context_num=1|dst=192.168.14.255|hll_key=5284185557031193765|inzone=External|outzone=Local|proto=17|protocol=NetBIOS Datagram Service|s_port=138|service=138|service_id=nbdatagram|sig_id=3|src=192.168.14.10
S_E_
Advisor
‎2023-02-05 12:33 AM
In response to Joseph_Audet
Jump to solution

Thanks Joseph,

I made some tests on SmartCenter R81.10 HF78 to rule out the cef topic. Simple tcpdump on management station. Even with standard syslog, origin is always IP address.

Which is in my understanding contrary to the statement in sk144192.

origin        Orig   string Name of the first Security Gateway that reported this event   Yes
origin_ip  N/A    ipaddr IP address of the Security Gateway that generated this log    Yes

 

This files $RTDIR/log_exporter/conf/LogFields.xml shows:

<field>
<log_field>orig</log_field>
<display_name>Origin</display_name>
<lea_type>ipaddr</lea_type>
<family>Log Info</family>
<deafult_width></deafult_width>
<resolve_type>_V4</resolve_type>
<no_index></no_index>
<no_show></no_show>
<dns_resolving>true</dns_resolving>
</field>

 

<field>
<log_field>origin_sic_name</log_field>
<display_name>Origin SIC Name</display_name>
<lea_type>string_id</lea_type>
<family></family>
<deafult_width></deafult_width>
<resolve_type></resolve_type>
<no_index></no_index>
<no_show></no_show>
</field>

 

<field>
<log_field>originip</log_field>
<display_name>Origin IP</display_name>
<lea_type>ipaddr</lea_type>
<family></family>
<deafult_width></deafult_width>
<resolve_type></resolve_type>
<no_index></no_index>
<no_show></no_show>
<dns_resolving>true</dns_resolving>
</field>

 

Regarding SIC name proposal:
SIC name contains hostname of firewall and name of the 'initial management station'.
So, if you have a grown environment with old, migrated management stations, you will see a lot of old stuff.
And even with that, it shows hostname not FQDN.
CN\=fw1,O\=OLD-INITIAL-MANAGEMENTSTATAION.xyz.RANDOM

At the end, the question is.
Why is CheckPoint not sending 'origin'. Or how can I enable this feature.


Best Regards

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-06 07:51 AM
In response to S_E_
Jump to solution

Origin is logged as an IP address, not a name.
Which means that’s exactly how Log Exporter will see and export that field.
In fw log and in SmartView, the origin IP is getting resolved automatically to a name when viewed.
What you’re asking for is very likely an RFE.

0 Kudos
S_E_
Advisor
‎2023-02-06 09:13 AM
In response to PhoneBoy
Jump to solution

Hi,

Thanks

Then I do not understand sk: sk144192

But in this case, I consider co create an RFE

Thanks, Regards

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-06 09:52 AM
In response to S_E_
Jump to solution

I can see where the SK mentions name in that field.
In which case, it might be bug and you will need to address it with the TAC.

S_E_
Advisor
‎2023-02-24 02:37 AM
In response to PhoneBoy
Jump to solution

FYI:   TAC: not supported

RFE has been created

Thanks

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events