This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Obiwan1968
Contributor
‎2020-04-08 06:07 AM

cp_log_export says "cannot initialize socket ($targetIp:514)"

Hi There

I tried a lot to solve this issue, but with no success. I am using R80.30 take 200 with standalone configuration 

I created a new exporter with
cp_log_export add name LOG-514 target-server 172.30.61.21 target-port 514 protocol tcp

and already get an error

sed: invalid option -- E
Error: Failed to set tag name: [is_enabled] as: true

Directory and files were created, so I can change call tghe settings by hand

<ip>$targetIp</ip><!--the ip of the syslog server-->
<port>$targetPort</port><!--the port on which the syslog is listening to-->
<protocol>$protocol</protocol><!--udp/tcp-->
<security></security><!--clear/tls-->

<ip>$targetIp</172.30.61.21><!--the ip of the syslog server-->
<port>$targetPort</514><!--the port on which the syslog is listening to-->
<protocol>$protocol</tcp><!--udp/tcp-->
<security></clear><!--clear/tls-->

changes those, the service is at least running now

[Expert@ips:0]# cp_log_export status

name: LOG-514
status: Running (829)
last log read at: 8 Apr 14:59:01
debug file: /opt/CPrt-R80.30/log_exporter/targets/LOG-514/log/log_indexer.elg

But there are still plenty of errors in the log_indexer.elg and I see no communiction on port TCP/514

[log_indexer 829 4126202768]@ips[8 Apr 14:58:56] SyslogTCPSender::connect: Failed to initialize socket ($targetIp:514)

... and 1000s of those within 2s

[log_indexer 829 4114566032]@ips[8 Apr 14:58:56] LogFormatExtractor::extractFields Filter List is empty

... at the end I see

[log_indexer 829 4136692624]@ips[8 Apr 15:04:11] SyslogTCPSender::connect: Failed to initialize socket ($targetIp:514)

[log_indexer 829 4126202768]@ips[8 Apr 15:04:11] SyslogTCPSender::connect: Failed to initialize socket ($targetIp:514)

[log_indexer 829 3973053328]@ips[8 Apr 15:04:11] Files read rate [adtlog] : Current=0 Avg=0 MinAvg=0 Total=18 buffers (0/0/0/0)

[log_indexer 829 3973053328]@ips[8 Apr 15:04:11] Sent current: 0 average: 0 total: 0

[log_indexer 829 3973053328]@ips[8 Apr 15:04:16] Files read rate [adtlog] : Current=0 Avg=0 MinAvg=0 Total=18 buffers (0/0/0/0)

[log_indexer 829 3973053328]@ips[8 Apr 15:04:16] Sent current: 0 average: 0 total: 0

[log_indexer 829 3973053328]@ips[8 Apr 15:04:21] Files read rate [adtlog] : Current=0 Avg=0 MinAvg=0 Total=18 buffers (0/0/0/0)

[log_indexer 829 3973053328]@ips[8 Apr 15:04:21] Sent current: 0 average: 0 total: 0

[log_indexer 829 3973053328]@ips[8 Apr 15:04:26] Files read rate [adtlog] : Current=0 Avg=0 MinAvg=0 Total=18 buffers (0/0/0/0)

[log_indexer 829 3973053328]@ips[8 Apr 15:04:26] Sent current: 0 average: 0 total: 0

[log_indexer 829 3973053328]@ips[8 Apr 15:04:31] Files read rate [adtlog] : Current=0 Avg=0 MinAvg=0 Total=18 buffers (0/0/0/0)

[log_indexer 829 3973053328]@ips[8 Apr 15:04:31] Sent current: 0 average: 0 total: 0

Anyone having any idea what I could try? I guess the service is running but not correctly initialised, therefore no communication to the syslog server possible.

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2020-04-09 10:34 PM

What version/JHF are we talking?
0 Kudos
Obiwan1968
Contributor
‎2020-04-09 10:43 PM
In response to PhoneBoy

It's R80.30 Take 200

0 Kudos
Norbert_Bohusch
Advisor
‎2020-04-09 11:55 PM

If you really put it lilke this:

<ip>$targetIp</172.30.61.21><!--the ip of the syslog server-->
<port>$targetPort</514><!--the port on which the syslog is listening to-->
<protocol>$protocol</tcp><!--udp/tcp-->
<security></clear><!--clear/tls-->

 

Then the fault is, that its wrong. It should be:

<ip>172.30.61.21</ip>

<port>514</port>

<protocol>tcp</protocol>

<security>clear</security>

0 Kudos
Obiwan1968
Contributor
‎2020-04-12 01:10 AM
In response to Norbert_Bohusch

Then it would be?
<ip>172.30.61.21</ip>
The backslash before the </ip> not behind the "21/<ip>"

I will try on Tuesday, until than we have freeze

0 Kudos
Norbert_Bohusch
Advisor
‎2020-04-14 10:33 PM
In response to Obiwan1968

Yes, sorry for that typo.
0 Kudos
Obiwan1968
Contributor
‎2020-04-14 10:47 PM
In response to Norbert_Bohusch

Works! Thanks a lot!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events