Hello.

In my scenario, where should the LOG EXPORTER be “configured”?

Because I only have full access to the FW, but not to the Smart-1 Cloud.

Is it possible that by configuring the LOG EXPORTER, we can “decide” which logs to send to the server?

Since we are only interested in the “Log in” and “Log out” that certain administrators do on our FW.

Hey bro,

This would be file you need to modify for those things once all is configured. Example in my lab:

[Expert@CP-MANAGEMENT:0]# cd /opt/CPrt-R82/log_exporter/
[Expert@CP-MANAGEMENT:0]# cd targets/
[Expert@CP-MANAGEMENT:0]# ls
SentinelOne-XDR test-log
[Expert@CP-MANAGEMENT:0]# more SentinelOne-XDR/

*** SentinelOne-XDR/: directory ***

[Expert@CP-MANAGEMENT:0]# cd SentinelOne-XDR/
[Expert@CP-MANAGEMENT:0]# ls
conf data fieldsMapping.xml log log_exporter log_indexer_custom_settings.conf targetConfiguration.xml tmp
[Expert@CP-MANAGEMENT:0]# more targetConfiguration.xml
<?xml version="1.0" encoding="utf-8"?>
<export id="targetObjectUID"><!--object uuid!-->
<version>9</version> <!-- Version of this file-->
<is_enabled>true</is_enabled><!--Is the process allowed to run, and start on cpstart-->
<!-- Destination section defines the properties of the export target -->
<destination type="syslog"> <!-- Target output type -->
<ip>172.16.10.108</ip><!--the ip of the syslog server-->
<port>8002</port><!--the port on which the syslog is listening to-->
<protocol>udp</protocol><!--udp/tcp-->
<local_addr_ip></local_addr_ip><!--local address ip-->
<!--the configuration of tls-->
<transport>
<security></security><!--clear/tls-->
<!-- the following section is relevant only if <security> is tls -->
<pem_ca_file></pem_ca_file>
<p12_certificate_file></p12_certificate_file>
<client_certificate_challenge_phrase></client_certificate_challenge_phrase>
</transport>
<reconnect_interval></reconnect_interval><!-- Shedule reconnection to the destination server (empty to disable [default] | number of minutes) -->
</destination>
<!-- Enrichment configuration, exporting domain server name, orig_log_server uuid and orig_log_server ip -->
<data_enrichment>
<export_domain>false</export_domain>
<export_orig_log_server>false</export_orig_log_server>
</data_enrichment>
<!-- Filter Configuration -->
<dynamicFilter>conf/FilterConfiguration.xml</dynamicFilter>
<!-- Source section defines the properties of the input stream that will be exported -->
<source>
<log_files>1</log_files><!-- <Number> - read logs on-line | read logs from [number] days back (default 1) | specific file name -->
<log_types></log_types><!--all[default]|log|audit/-->
<folder></folder><!--$FWDIR/log[default]|specific path-->
<read_mode>semi-unified</read_mode><!--raw|semi-unified[default]/-->
</source>
<export_log_position>false</export_log_position> <!-- True | False /-->
<export_log_link>false</export_log_link> <!-- True | False /-->
<export_attachment_link>false</export_attachment_link> <!-- True | False /-->
<export_link_ip></export_link_ip> <!-- empty [defaut] | external IP /-->
<export_attachment_ids>false</export_attachment_ids> <!-- True | False /-->
<!-- Format section determines the form (headers and mappings) of the exported logs -->
<format type="syslog"> <!--syslog | cef | rsa | leef | generic | splunk | this parameter may differ from the type of destination, for example, destination type = files/format t
ype = CEF -->
<resolver>
<mappingConfiguration></mappingConfiguration><!--if empty the fields are sent as is without renaming-->
<exportAllFields>true</exportAllFields> <!--in case exportAllFields=true - exported element in fieldsMapping.xml is ignored and fields not from fieldsMapping.xml are exporte
d as notMappedField field-->
</resolver>
<!-- Format header configuration (actual to CEF see ./conf directory) -->
<formatHeaderFile></formatHeaderFile>
</format>
<!-- Time In Milli Seconds -->
<time_in_milli>false</time_in_milli>
<!-- Skip logs incase of failure in sending-->
<skip_failed_logs>false</skip_failed_logs>
<!-- The following section is for future use of log filtering, please do not modify these values -->
<filter filter_out_by_connection="false">
<field name="product">
<value>VPN-1 &amp; FireWall-1</value>
<value>HTTPS Inspection</value>
<value>VPN-1</value>
<value>Security Gateway/Management</value>
<value>Firewall</value>
<value>FG</value>
</field>
<field name="fw_subproduct">
<value>VPN-1 &amp; FireWall-1</value>
<value>HTTPS Inspection</value>
<value>VPN-1</value>
<value>Security Gateway/Management</value>
<value>Firewall</value>
<value>FG</value>
</field>
</filter>

</export>

[Expert@CP-MANAGEMENT:0]#

Is LOG EXPORTER configured in Management?

So in my scenario, should I seek support from TAC?

I have no way to access my Smart-1 Cloud Tenant via CLI. 😑

You can configure it in smart console, will take a video and share.

Nice 

I always feel video is good reference.

100 % agree. 
I would do that too, but since it's a bit more complicated for us (as is everything, really), I can only do so in very few cases and have to limit myself to text and links.

I totally get it. I do it since its a lab anyway, so nothing secretive...at least that I know of 😂😂

Even setting up a lab is complicated for us. 😉

I get it, too many regulations, right? : - )

That too. And above all, overly complicated processes.
(At least if you want to make it official 😉 )

Thanks for the tip. 😊😁

I'll give it a try. 🤗

Excellent.

The option works well but in on-premise environments, because it turns out that in Smart-1 Cloud, I don't have the Management “object” option in SmartConsole.

It seems that at this point, I have to rely on TAC. 😅

Forgot about that, sorry mate. Yes, then TAC would be needed.

https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Check-Point-SmartCloud-Admin-...

i researched by mobile so no guarantee but maybe you can check this guide to see how log forward to siem is configured in the cloud.