Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Joe_Matthews
Participant

log exporter filterconfiguration

Jump to solution

Hello.  I am wondering if anyone has experience in working with the filterconfiguration.xml file.  We are trying to filter out so we get all logs for certain blades and then only logs with certain severity for other blades.  We would like all Identity Awareness, Content, Application Control and URL filtering.  Then severity 3 or 4 for Threat, AV, IPS, etc.  Below is the config we are trying to use but as soon as we put in the severity we get almost no logs for any blades. I suspect that is because it is applying severity to the other blades which do not have that field.  Do we need to put the severity field under each blade that we want only those severity levels? 

 

<filters>
        <filterGroup operator="and">
                <field name="action" operator="and">
                </field>
                <field name="origin" operator="and">
                </field>
                <field name="product" operator="or">
                        <value operation="eq">Identity Awareness</value>
                        <value operation="eq">Content Awareness</value>
                        <value operation="eq">Application Control</value>
                        <value operation="eq">URL Filtering</value>
                </field>
                <field name="product" operator="or">
                        <value operation="eq">Anti-Bot</value>
                        <value operation="eq">Anti Malware</value>
                        <value operation="eq">IPS</value>
                        <value operation="eq">IPS-1</value>
                        <value operation="eq">SmartDefense</value>
                        <value operation="eq">Anti-Virus</value>
                        <value operation="eq">New Anti Virus</value>
                        <value operation="eq">Anti Virus</value>
                        <value operation="eq">Threat Extraction</value>
                </field>
                <field name="severity" operator="and">
                        <value operation="eq">3</value>
                        <value operation="eq">4</value>
                </field>
        </filterGroup>
</filters>

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Edited your original post for clarity.
I don't think this will match anything:

                <field name="severity" operator="and">
                        <value operation="eq">3</value>
                        <value operation="eq">4</value>
                </field>

 

It should be an operator="or" in this case, at least if I'm understanding sk122323 correctly.
Also, everything in the filterGroup must match (e.g. product = X AND severity = Y).

That basically means you'll need to create two different filterGroups (one with the blades you want to send based on priority and one with the blades you want to send irrespective of priority).
Whether you can put that in one filterConfiguration.xml or you'll need to configure a second export to the same server with the other filterConfiguration, I'm not sure. 

View solution in original post

(1)
7 Replies
PhoneBoy
Admin
Admin

Edited your original post for clarity.
I don't think this will match anything:

                <field name="severity" operator="and">
                        <value operation="eq">3</value>
                        <value operation="eq">4</value>
                </field>

 

It should be an operator="or" in this case, at least if I'm understanding sk122323 correctly.
Also, everything in the filterGroup must match (e.g. product = X AND severity = Y).

That basically means you'll need to create two different filterGroups (one with the blades you want to send based on priority and one with the blades you want to send irrespective of priority).
Whether you can put that in one filterConfiguration.xml or you'll need to configure a second export to the same server with the other filterConfiguration, I'm not sure. 

(1)
Ravoth
Participant

Hello @PhoneBoy

 

Thank you for your sharing, I am facing an issue regarding the audit log from the smart console by using Log Exporter. Could you help to provide more statements to filter the audit log?

 

Best Regards,

Ravoth

Ravoth
0 Kudos
AaronCP
Advisor

Hey @Ravoth,

 

I am forwarding audit logs from our Management Server (shows SmartConsole logins, Web API logins, policy installations, etc) using the following config on the Mgmt:

 

cp_log_export add name auditlogs.mgmt target-server x.x.x.x target-port 12214 protocol tcp format cef
cp_log_export set name auditlogs.mgmt filter-origin-in "x.x.x.x"

Ravoth
Participant

Hi @AaronCP ,

 

How about command line to filter log, which place that we set in?

Ravoth
0 Kudos
AaronCP
Advisor

Hey @Ravoth,

 

I'm pretty sure you would need to use the FieldsMapping.xml to specifically filter the logs you want.

 

SK122323 gives a detailed explanation of the filtering capabilities in Log Exporter. Also, SK144192 gives a list of fields in the Check Point logs (including Management Server).

0 Kudos
omidrajaee
Explorer

Hello, How I can find out which product should I use do I need all or only smart defense is enough? I used Confidence level as well but I am not getting unknow logs which I had before edit the xml file

0 Kudos
PhoneBoy
Admin
Admin

Depends on what products you have…and what products you want logs sent on.
IPS is somewhat unique in that some protections still show up as SmartDefense (legacy name for IPS-type functionality).
Best to look at the log entries you for sure want and make sure you account for them in the filter configuration.

0 Kudos