Hello Vladimir,

You can install multiple instances of the log exporter but you cannot separate them by gateways.

The tool reads from the log files (such as fw.log) in your $FWDIR/log directory. 
There are some filtering capabilities, but for the first release, they are mostly focused on key (field) based filters and not value based filters.

You can filter by 'action' but not by 'accept'/'drop'.

We plan to add more advanced filtering capabilities in future releases.

regards,

 Yonatan 

Thank you for the info.

Any plans to re-introduce syslog output directly from gateways, the r77.30 style?

Are you referring to the OPSEC LEA tool?
If so, I personally am not aware of any such plans to refresh it, but as far as I know, that tool still exists in R80.10.

The new log exporting tool is a direct replacement for the CPLogToSyslog tool. We will be retiring the CPLogToSyslog tool, but I don't know of any plan to retire other tools (such as the OPSEC LEA tool).

Regards,

 Yonatan 

Hi,

the tool is very helpful.

We have two customers who use it. 

Can you say something about how it's gonna be included in the next HFA?

Little note:
The Syslog entry contains firewall rules and thread rules in one line. So some fields have the same name, we have the problem that we cannot index the fields in LogRythm.

Hello Heiko,

The plan at this point in time is to have the tool directly integrated into R80.20 (no hotfix needed).

Regarding a future R80.10 HFA integration - at this point in time we have not yet reached a decision on this subject.

As to your point on LogRhythm - it's true that there are many instances where fields will be sent more than once.
Sometimes it will be the same field (that is, both instances will have identical information) and sometimes it will be different fields, such as in the case of multiple layers (each layer will have an action field).

We plan to address the former to some degree in the next log exporter release, but the later is inherent to the way our logs are built. I don't think there is any feasible way to resolve this while still keeping all the relevant data in the log.

Those fields appear twice because they represent data which appears twice (like the above example, of one action per layer).

We have been in contact with LogRhythm, and they are aware of the new tool, and I also know that they have been working on it from their end. 

However, I cannot speak for them and am not privy to the details of how/if they plan to address this.

Regards,

 Yonatan 

Hello Yonatan,

thx for this info. 

Regards,

Heiko

Have you also discussed this with AlienVault? You still have a partnership with them, yes?

AlienVault recently updated their Plugins List adding in the R80 plugins options. For R80 with the logexpoter function AlienVault will utilize the CEF format. 

I have tested this with a customer and their AlienVault USM Anywhere is correctly receiving data. 

John ... is there any chance of making the plungin .cfg file available? ... your post is the only reference I can find regarding the export of logs from R80 to AlienVault.... 

No, I am talking about R77.30 add-on: How to configure R77.30 Security Gateway on Gaia OS to send FireWall logs to an external Syslog serv... 

I am also interested in this since I have one firewall cluster for PCI that I need to syslog only its data into a Splunk.

sk122323 Logs Exporter - Check Point Logs Export  says that Log Exporter supports:

• SIEM applications: Splunk\Arcsight\RSA\LogRhythm\QRadar\McAfee\rsyslog\ng-syslog and any other SIEM application that can run a syslog agent.

• Protocols: syslog over TCP or UDP.

• Formats: Syslog, CEF, LEEF, Generic.

• Security: Mutual authentication TLS.The ability to export logs/audit or both.

• Filter out (don't export) firewall connections logs.

Has anyone heard more about being able to filter out firewall connection logs (as Günther mentioned from the sk122323?

Hello Antonio,

We plan to address this gap in a future release.

I don't have any information about what exactly the next release will contain nor when it will be released.

I've created a log exporter guide in another post that covers this and many other questions.

You can find it at Log Exporter guide.

I hope you'll find it helpful.

Regards,

 Yonatan 

Would it be possible to get sample sanitized logs for each blade type for development use please? 

You should be able to stand up a test gateway with an evaluation license and generate whatever logs you need.

https://www.checkpoint.com/try-our-products/

Hello Hugo,

This is a known issue that stems from an attempt to improve the interface (an attempt which sadly backfired...).
The original parameter name was 'target-ip'. It was changed based on customer feedback to 'target-server', but the backend stayed the same - expecting an IP-address. 

Add to this the fact that we didn't implement a verification mechanism on the input (to make sure it's a valid IP address) and we have a bug.

We already have a task for this and it will be addressed in the next release.

For now, the simple fix is to use an IP-address for the 'target-server' parameter.

Hope this helps,

Yonatan 

Check! That fixed my issue.

(No stroopwafels for who ever made that half way change.)

Hugo van der Kooij -  Any comment that refers to stroopwafels gets a thumbs up in my book 😉

Hello Biju,

When you install the log exporter hotfix it adds the $EXPORTERDIR environmental variable.

Since the hotfix doesn't require a reboot, you need to manually reset the ssh connection for the new variable to be added to your environment.

Since you didn't log out the variable didn't exist when you tried to deploy it, and so it generated an error and used the $INDEXDIR variable instead (in the status output you can see the location is under 'log_indexer' instead of 'log_exporter').

This is not an optimal solution. I would recommend deleting the existing the deployment (using the delete flag) and redeploying it so that it's deployed in the correct location. If the delete flag doesn't work you might have to manually delete the exporter (cpstop; delete the folder; cpstart).

If you want to verify if the $EXPORTERDIR variable exists, you can just try to write it down in expert mode and use the auto-complete (tab) to see if the OS environment recognizes the variable or not.

(I actually remembered this as being blocked because of those errors, but I guess I'm misremembering...)

P.S. just to clarify, this deployment should still work as expected, but as the 'show' flag error shows, it's not seamless, which is why I recommended to remove/redeploy.

Regards,

 Yonatan