Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gregory_Link
Contributor

Log Exporter - Filtering out specific blades

Jump to solution

I just upgraded from R80.20 -> R81.10 and created some custom parsing in our Logrhythm SIEM for Checkpoint Syslog Exporter.  However, we get little to no value from specific blades and I would like to exclude those from sending to our SIEM.  Specifically I would like to exclude HTTPS Inspection.  I see a lot of options for filtering in by blade but not filtering out a blade.  Any help here?

0 Kudos
1 Solution

Accepted Solutions
Gregory_Link
Contributor

Thanks, that worked for me.  Although I had to adjust to focus on Product since a lot of the other blades have inspection actions in the values.  I used the below filter.  This works since the blade name is mapped to product in Logrhythm.

<filters>
<filterGroup operator="and">
<field name="product" operator="or">
<value operation="neq">https inspection</value>
</field>
</filterGroup>
</filters>

View solution in original post

0 Kudos
6 Replies
G_W_Albrecht
Legend
Legend
Configuration Method Description

Using the cp_log_exportcommand

This command configure filtering for Action / Blade / Origin fields only.

The syntax is:

  • cp_log_export set name <name> filter-action-in "value1,value2"

  • cp_log_export set name <name> filter-origin-in "value1,value2"

  • cp_log_export set name <name> filter-blade-in "value2"

In addition, it is possible to use predefined families for "filter-blade-in" value:

  • Access - For exporting Access logs only (Security Gateway/Management, VPN-1 & FireWall-1, Firewall, Application Control, URL Filtering, Content Awareness, Connectra, Mobile Access, Compliance blade, Core, DDoS Protector, Identity Awareness, Identity Logging, UA WebAccess).
  • TP - For exporting Threat Prevention logs only (Anti-Bot, Anti-Malware, Threat Emulation, IPS, IPS-1, SmartDefense, Anti-Virus, New Anti Virus, Anti-Spam and Email Security, Threat Extraction, MTA).
  • EndPoint - For exporting Endpoint logs only (Anti-Bot, Anti Malware, Threat Emulation, IPS, IPS-1, SmartDefense, Anti-Virus, New Anti Virus, Anti-Spam and Email Security, Threat Extraction, MTA ).
  • Mobile - For exporting Mobile logs only (WIFI Network, Mobile App, OS Exploits, Device, Network Security, Cellular Network, Network Access, iOS Profiles, Text Message, On-device Network Protection).

 

From: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

CCSE CCTE SMB Specialist
0 Kudos
just13pro
Explorer

I have the same case with TS, follow the filter as per sk but the SIEM become not receiving any logs and I saw message "Logs Formatter :: Process Log Skipped".

 

Any idea?

 

0 Kudos
G_W_Albrecht
Legend
Legend

I would suggest to contact TAC to get this resolved !

CCSE CCTE SMB Specialist
0 Kudos
Gregory_Link
Contributor

I saw this but there is only a filter in option not a filter out option.  So do I need to specify all blades I need to filter in?  I also don't see HTTPS inspection blade in any of the families.  Would that be excluded if I select just Access and TP?

0 Kudos
(1)
Kaspars_Zibarts
Authority
Authority

Have you tried playing with FilterConfiguration.xml file? sk122323

Fields can be found here sk144192 

You could try excluding https_inspection_action or specific HTTPS rule UID (apparently name is not supported)

<field name="https_inspection_action" operator="or">
  <value operation="neq">Inspect</value>
  <value operation="neq">Bypass</value>
  <value operation="neq">Error</value>
</field>

 

Gregory_Link
Contributor

Thanks, that worked for me.  Although I had to adjust to focus on Product since a lot of the other blades have inspection actions in the values.  I used the below filter.  This works since the blade name is mapped to product in Logrhythm.

<filters>
<filterGroup operator="and">
<field name="product" operator="or">
<value operation="neq">https inspection</value>
</field>
</filterGroup>
</filters>

0 Kudos