Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mike_Epplin
Explorer
Jump to solution

Log Exporter not Showing all Fields

I have log exporter set up to export logs via syslog in CEF format. I'm noticing that a lot of the IPS logs are often missing fields, mainly the destination IP and ports. I've verified that these fields are listed in the conf files and not being blocked from being exported. I've pasted a couple of examples below. This for R80.20, and wondering if anyone else has seen this, or if this is normal and if so, any ideas as to why?

Examples: 

"CEF:0|Check Point|SmartDefense|Check Point|IPS|Command Injection Over HTTP|Very-High|cp_severity=Very-High cs2Label=Protection ID cs2=asm_dynamic_prop_CMD_INJECTION cs3Label=Protection Type cs3=IPS cs4Label=Protection Name cs4=Command Injection Over HTTP deviceDirection=0 flexNumber1Label=Confidence flexNumber1=3 flexNumber2Label=Performance Impact flexNumber2=3 flexString2Label=Attack Information flexString2=Command Injection Over HTTP msg=Web Server Enforcement Violation rt=1553065375000 loguid={0x5c91e59f,0x1c,0x1520d30a,0xc000000a} origin=0.0.0.0 originsicname=CN\=ABCDEF,O\=myname.com sequencenum=1777 version=5 description_url=CMD_INJECTION_help.html product=SmartDefense smartdefense_profile=g_Production_and_QA_DEV_IPS src=120.27.248.226"

"CEF:0|Check Point|SmartDefense|Check Point|anomaly|Non Compliant DNS|Very-High|act=Drop cp_severity=Very-High cnt=22 cs2Label=Protection ID cs2=DnsProtocolEnforcement cs3Label=Protection Type cs3=anomaly cs4Label=Protection Name cs4=Non Compliant DNS deviceDirection=0 flexNumber1Label=Confidence flexNumber1=3 flexNumber2Label=Performance Impact flexNumber2=2 flexString2Label=Attack Information flexString2=Illegal number of Resource Records msg=Non Compliant DNS rt=1553138597000 ifname=lo loguid={0x0,0x0,0x0,0x0} origin=10.211.32.21 originsicname=CN\=ABCDEF,O\=myname.com sequencenum=276 version=5 product=SmartDefense rule=554 rule_name=4.551_._._OPEN-RULE-BAD rule_uid=c2ea1bf4-908d-4905-acf4-e8349562478b smartdefense_profile=g_Production_and_QA_DEV_IPS_79ca84b7e1848eb9 sub_policy_name=Production_Global Security sub_policy_uid=9b1c034b-b8a9-4dda-95ec-919ea0a79097 summary=Detected 22 events associated with the following attack: Attack name: Non Compliant DNS Attack data: Illegal number of Resource Records Packet Info: DNS query length 570 exceeds the allowed length 512 See sk73240 for more information."

 

"CEF:0|Check Point|SmartDefense|Check Point|IPS|Brute Force Scanning of CIFS Ports|Medium|cp_severity=Medium cs2Label=Protection ID cs2=asm_dynamic_prop_CIFS_BF_PORT_SCAN cs3Label=Protection Type cs3=IPS cs4Label=Protection Name cs4=Brute Force Scanning of CIFS Ports deviceDirection=0 flexNumber1Label=Confidence flexNumber1=1 flexNumber2Label=Performance Impact flexNumber2=2 flexString2Label=Attack Information flexString2=Brute Force scanning of CIFS ports msg=Windows SMB Protection Violation rt=1553043683000 loguid={0x5c9190e3,0xe,0x3e20d30a,0xc000000a} origin=0.0.0.0 originsicname=CN\=ABCDEF,O\=namegoeshere.dev.com55k sequencenum=229 version=5 description_url=CIFS_BF_PORT_SCAN_help.html product=SmartDefense smartdefense_profile=g_Production_and_QA_DEV_IPS src=10.211.68.109"

 

 

1 Solution

Accepted Solutions
Dan_Zada
Employee Alumnus
Employee Alumnus
Please try to change the log exporter configuration to use "semi-unified" reading mode (describe in SK122323).
Let me know if it helped.

View solution in original post

8 Replies
PhoneBoy
Admin
Admin

Have you confirmed the log entries these correspond to in SmartView have the information?

Mark_Gurevich
Contributor

Hi Mike,

We encounter same problem on the same environment.

Were you able to figure out the reason?

Thanks in advance

Dan_Zada
Employee Alumnus
Employee Alumnus
Please try to change the log exporter configuration to use "semi-unified" reading mode (describe in SK122323).
Let me know if it helped.
JS_FW
Participant

We are also experiencing a similar issue in our environment. I have a ticket opened with TAC and have also notified our SE, but wanted to see if any insight could be shared here. He did switch to semi-unified read mode. and that improved things, but we are still missing some of the data on a subset of exported logs.

We are on R80.30 with JHF Take 111 and are exporting to LogRhythm. FWIW, ran some pcaps and the missing data is evident there. Any guidance appreciated.

Shay_Hibah
Employee Alumnus
Employee Alumnus

Hi,

You mentioned that you cannot see all field in the log entities after export operation.

Can you please tell me what made you think these fields should be there?

What you actually can do is to find one log entity that may be "broken" in LogRhythm and look for the same log (from the same time) in your SmartConsole.

All fields should behave the same - meaning that every field exist in SmartConsole, should also be seen in LogRhythm.

If you need an additional help with it, please contact me at shayhi@checkpoint.com and I will try my best to help.

JS_FW
Participant

Hi Shay, thanks for the response. It's not the fields that are missing, it's the data. For example - Destination IP. I have confirmed we see it in SmartLog, however, with a PCAP I have confirmed it is not being exported in some cases. I will reach out to you directly.

LostBoY
Advisor

Hello,

were you able to see "Action" field in logs after changing read-mode to semi-unified ?

0 Kudos
LostBoY
Advisor

Hello,

I am facing a similar issue where i require "Action" field in IPS logs.. will changing read-mode from raw to "semi-unified" fix this ?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events