This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
net-harry
Collaborator
‎2020-07-02 01:07 AM
Jump to solution

Log export for virtual system on VSX

Dear All,

One of our customers would like to receive their firewalls logs on their SIEM (Splunk).

They are currently using a shared firewall and we want to ensure they only get their own logs. We are planning to move them to a dedicated virtual firewall on VSX.

Could we send them logs directly from their virtual system in SMS (potentially using Log Exporter and filter-origin-in) or would it be better to use MDS and create a separate domain for them?

We are currently running R80.20, take 118.

Thanks for your help!

Best regards,

Harry

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion
‎2020-07-02 01:09 PM
Jump to solution

Hi @net-harry,

I think it is both possible:

1) Use a MDS and create a second CMA or log server.
2) Use the filter configuration file. Is located under each target folder: $EXPORTERDIR/targets/<target-name>/conf/FilterConfiguration.xml. The filtering feature allows to decide which logs will be exported based on values on the raw log. More read here sk122323.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

3 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2020-07-02 01:09 PM
Jump to solution

Hi @net-harry,

I think it is both possible:

1) Use a MDS and create a second CMA or log server.
2) Use the filter configuration file. Is located under each target folder: $EXPORTERDIR/targets/<target-name>/conf/FilterConfiguration.xml. The filtering feature allows to decide which logs will be exported based on values on the raw log. More read here sk122323.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Magnus-Holmberg
Advisor
‎2020-07-02 01:28 PM
Jump to solution

Using a seperate CMA per customer with MDS gives alot more flexibility.
If possible i would go for that soultion all days of the week 🙂

https://www.youtube.com/c/MagnusHolmberg-NetSec
net-harry
Collaborator
‎2020-07-03 07:38 AM
In response to Magnus-Holmberg
Jump to solution

@HeikoAnkenbrand  and @Magnus-Holmberg  Thanks for your help!

I will try and check which solution would be most suitable for us.

Best regards,

Harry

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events