This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have one, create one now for free!
Adir_Sabag
Explorer
‎2021-08-30 04:19 AM

Log exporter - Issues exporting audit logs

Hello, 

We are an MSSP, and most of our customers have an R80.40.

At one of our customers' site, for example, we have configured a log exporter to send logs from the management server to a QRadar collector at the same site. For some reason we cannot see any audit logs being sent to us.

Some of our customers still forward logs using OPSEC\LEA protocol, and while using this protocol I can see the audit logs in our SIEM (QRadar).

While checking any of the customers using Syslog protocol, I cannot find event one audit log being sent to us.

 

Is there any known issues exporting audit logs while using log exporter and Syslog protocol?

 

Thank you.

0 Kudos
3 Replies
Tal_Paz-Fridman
Employee
Employee
‎2021-08-31 01:55 AM

Please see if related to the following SK:

Not all logs are exported when log exporter is configured on Log Server/Multi-Domain Log Module

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

HTH

Tal

0 Kudos
Adir_Sabag
Explorer
‎2021-08-31 06:16 AM
In response to Tal_Paz-Fridman

I don't know if this is the case.

I mean, the log exporter is configured to send the logs to a QRadar log collection server. The logs are being sent immediately, but as I have mentioned, we cannot see audit logs.

0 Kudos
G_W_Albrecht
Legend
Legend
‎2021-08-31 06:37 AM
In response to Adir_Sabag

Then contact TAC and either get the hotfix or a reason why that is not working!

CCSE CCTE SMB Specialist
0 Kudos