- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hello everyone, everything good ? I need help.
I configured the log exporter but the events that arrive at the siem are very low, below the evidence.
name: LOG_EXP domain-server: : CK
enabled: true
target-server: 10.0.1.1
target-port: 514
protocol: udp
format: syslog
read-mode: raw
export-attachment-ids: false
export-link: false
export-attachment-link: false
time-in-milli: false
export-log-position: false
reconnect-interval: Not configured, using default
Logs
[4011834176][31 May 12:09:42] Files read rate [adtlog] : Current=0 Avg=0 MinAvg=0 Total=2 buffers (0/0/0/0)
[4028619584][31 May 12:09:47] Files read rate [log] : Current=0 Avg=0 MinAvg=0 Total=13 buffers (0/0/0/0)
[4028619584][31 May 12:09:47] Sent current: 0 average: 0 total: 0
[4011834176][31 May 12:09:47] Files read rate [adtlog] : Current=0 Avg=0 MinAvg=0 Total=2 buffers (0/0/0/0)
[4028619584][31 May 12:09:52] Files read rate [log] : Current=0 Avg=0 MinAvg=0 Total=13 buffers (0/0/0/0)
[4028619584][31 May 12:09:52] Sent current: 0 average: 0 total: 0
[4011834176][31 May 12:09:52] Files read rate [adtlog] : Current=0 Avg=0 MinAvg=0 Total=2 buffers (0/0/0/0)
I don't believe configuring Log Exporter at the MDS level will export the logs from the various CMAs.
Each Domain would need to have Log Exporter configured on it.
What troubleshooting have you already done and which version and JHF is the Management in this case?
Have you implemented any filters that we should be aware of?
Version81.10 JHF 78
what I did for troubleshooting was to analyze the logs.
To be honest, I'm not sure what "evidence" you're showing here.
What precise commands generated this output or what precise logs did you pull this output from?
Do you see traffic flowing to the destination syslog server with tcpdump?
A SYN/ACK would come from the remote syslog server in this case.
If you're not getting that, it means there's a basic networking problem (either routing, a middle device blocking the traffic, or both).
I made the change to use the sending using the udp protocol instead of tcp, now the Siem team informs me that the volume of logs is low
By what reasoning have your SIEM team concluded that "the volume of logs is low"?
Detailed comparisons of what's in SmartView versus the SIEM would need to be made starting from the moment logs started flowing via Log Exporter.
In general, the amount of logs sent by Log Exporter should be proportional to the current logs received on the logging server.
@FabioLima1 We definitely need more info here to be able to help you out better. When you indicate SIEM team told you volume of logs is low, Im not sure how to "digest" that info. Are they expecting to see certain amount of logs per minute/hour/day? Whatever you see as far as amount of logs on whatever log server it is, thats what should show up on SIEM side.
We use SIEM for few customers and so far, no issues as far as logs being received from the config we did in Smart-1 cloud environment.
Again, maybe doing some basic packet captures may help.
Andy
Hey mate,
Were you able to look into things we mentioned?
Andy
I did the capture and I see the logs going towards Siem. One question, I configured the export log in the MDS, can you tell me if the mds sends logs or only the cma and cml that forward the logs?
I don't believe configuring Log Exporter at the MDS level will export the logs from the various CMAs.
Each Domain would need to have Log Exporter configured on it.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
22 | |
11 | |
9 | |
9 | |
7 | |
7 | |
6 | |
5 | |
5 | |
4 |
Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewWed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY