Create a Post
Showing results for 
Search instead for 
Did you mean: 

CP Log Exporter to Microsoft CASB

Hello Check Mates ...

since a couple of days i´am struggeling with the Log Exporter from two MGMT Servers to Microsoft CASB.
it has worked for many weeks, but suddenly it stopped out of a sudden. we made no updates on the MGMT or whatever ... 








the configuration seems to be correct to me ... 
also the TLS encryption works correctly as far i can interpret the logs correctly.
the logs in CEF format are sent to an onPrem log collector, this guy accepts all logs and forwards them to the Microsoft world ...
there i see this error messages





i applied: sk165999 and set the log to milliseconds as well .... because this was the only reasonable information i could find ...
i found no way to see the raw data on the Microsoft side ... 
iam sorry i cannot post the whole raw log from the onPrem log collector on here, because it contains many confidential things ... 

the raw logs look like:
"May 30 11:16:06 X.X.X.X CEF: 0|Check Point|VPN-1 & FireWall-1|Check Point|Log|domain-udp|Unknown|act=Accept deviceDirection=1 rt=2023-05-30 11:12:08 spt=45462 dpt=53 cs2Label=Rule Name cs2=[U1] MGMT Time Update layer_name=XXXX-POLICY  Network layer_uuid=90c0733f-0d77-403b-b604-52b6cdb8a4e0"

so what is wrong here? 
perhaps something on the Microsoft side is not correct, could be, but i have no hint so far.

question, should the time in EPOCH (time:"1685446429";) or in UTC ("rt=2023-05-30 11:12:08")
also the origin of the log is shown as IP (X.X.X.X) ... a different customer with working CP Log Export show the correct hostname, not an IP, but there the format is SYSLOG.

who has an idea what can be the issue here?

Best Regards

0 Kudos
2 Replies

Are logs actually being sent?
i.e. do you see a continual connection between the log server and the CASB?

Generally, parsing of logs is handled by the remote end.
As long as we are configured to send them in the correct format, of course.

0 Kudos

yes indeed the logs are sent successfully. Even CP TAC confirmed the configuration is OK.
Since i the connection is TLS encrypted i cannot look into it via TCPDUMP.
If i turn OFF the TLS encryption, iam failing with the TLS handshakes but i can see the raw data ... it looks quite OK ...

only concerning is: the log origin is shown as the IP of the Log or MGMT server ...
"May 30 11:16:06 X.X.X.X CEF: 0|"
on other log exporters (different customers) when running Syslog format i see the origin as the real hostname of the log exporting server ... 

so the data is sent, but as you say, on the remote end it is not understood.
we have openend a Microsoft case .. lets see what they find out!

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events