The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Log Exporter - Check Point Log Export
Technical Level
Solution ID
sk122323
Technical Level
Product
SmartEvent / Eventia Analyzer, SmartLog
Version
R77.30, R80.10, R80.20, R80.30, R80.40, R81
OS
Gaia
Date Created
19-Mar-2018
Last Modified
28-Feb-2021
Solution
Check Point "Log Exporter" is an easy and secure method for exporting Check Point logs over syslog. Exporting can be done in few standard protocols and formats.
Log Exporter supports:
SIEM applications: Splunk, LogRhythm, Arcsight, RSA, QRadar, McAfee, rsyslog, ng-syslog and any other SIEM application that can run a syslog agent.
Protocols: syslog over TCP or UDP.
Formats: Syslog, Splunk, CEF, LEEF, Generic.
Security: Mutual authentication TLS 1.2.
Log Types: The ability to export security logs / audit logs or both. (Note: Audit logs exist on every Log Server).
Filter out (don't export) firewall connection logs.
Log Fields Mapping for Advanced Fields Configuration
SIEM Specific instruction
Transition from LEA to Log exporter
Transition from CPLogToSyslog to Log exporter
Troubleshooting
Known Limitations
Appendix
Change Log
How does it Work
Log Exporter is a multi-threaded daemon service, running on a log server. Each log that is written on the log server is read by the log exporter daemon, transformed into the desired format and mapping, and then sent to the end target. On MDS/MLM, if log exporter is deployed on several domains, each domain server will have its own log exporter daemon service. If exporting the logs to several targets, each target will have its own log exporter daemon.
Extract - Reads incoming logs from the Security Gateway, stored in local folders.
Transform - Changes the logs according to the configuration
Format the header and body to fit the 3rd party input.
Adjust field names according to mapping configuration.
Remove unnecessary fields.
Filter logs to be exported.
Export - Sending the logs to the configured target server in TCP \ UDP.
Data integrity:
Log exporter will stop exporting upon disconnection from the 3rd party and will remember the last position exported.
Once the connection is re-established, log exporter will automatically start exporting from the last known position.
Log Exporter is integrated in R80.10 with Jumbo Hotfix Accumulator Take_270 and higher versions.
R77.30
Install this release on a R77.30 Multi-Domain Server, Multi-Domain Log Server, Security Management Server, Log Server or SmartEvent Server.
Note: Log Exporter can be installed on top of R77.30 Jumbo Hotfix Take 292 and above.
**This hotfix must be installed after the Jumbo, and will need to be uninstalled to upgrade to a higher Jumbo take, and then reinstalled after the newer Jumbo is in place.
Management server - uninstall the feature via CPUSE, seesk92449.
Multi-Domain Management server - Uninstalling the package does not remove the configuration files, in order to uninstall and completely remove all configurations, do the following:
Run:
cp_log_export delete name all [domain-server all] --apply-now
Note: Do not forget to add: <domain-server all> on MDS/MLM machines.
If running on Multi-Domain Management Server: switch to MDS's environment by running: # mdsenv
Make sure $EXPORTERDIR exists and is pointing to $RTDIR/log_exporter ($FWDIR/log_exporter on R77.30). Run:
In order to configure a new target for the logs do the following on the log server:
cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server IP/host name> target-port <target-port> protocol <(udp|tcp)> format <(syslog)|(cef)|(splunk)|(logrhythm)|(generic)> [optional arguments]
On MDS/MLM: domain-server argument is mandatory, you can use 'mds' as the value for domain-server in order to export mds level audit logs
On MDS/MLM deployment you can use either the CMA/CLM name or IP.
Target-server can use either the syslog server's IP address or it's DNS name (when the protocol is TCP only)
This will create a new target directory with the unique name specified in the name parameter under $EXPORTERDIR/targets/<deployment_name>, and set the target configuration parameters with the connection details: IP Address, port, protocol, format and read-mode.
The recommended read-mode for splunk format is semi-unified which ensures you will get a complete data.
Note the above deployment will export the logs in clear text.
The new log exporter does not start automatically. To start it run: cp_log_export restart
If you wish to send the logs over an encrypted connection, please refer to the "TLS Configuration" section.
Advanced Deployment - Additional Commands
Advanced parameters for creating / modifying log exporters / targets
In order to understand a specific command usage run: cp_log_export <command-name> help
Commands
Command Name
Command Description
add
Deploy a new Check Point logs exporter.
set
Updates an existing exporter's configuration
delete
Removes an exporter.
show
Prints an exporter's current configuration.
status
Shows an exporter's overview status.
start
Starts an exporter process.
stop
Stops an exporter process.
restart
Restarts an exporter process.
reexport
Resets the current position, and re-exports all logs per the configuration.
Parameters
Parameter Name
Description
add
set
delete
show/status/start/stop/restart
reexport
name
Unique name of the exporter configuration.
Mandatory
Mandatory
Mandatory
Optional - Default all
Mandatory
domain-server
The relevant domain-server name or IP
Mandatory
Mandatory
Mandatory
Optional - Default all
Mandatory
target-server
Exporting the logs to this ip address
Mandatory
Optional
N/A
N/A
N/A
target-port
The port on which the target is listening to
Mandatory
Optional
N/A
N/A
N/A
protocol
Transport protocol to use
Mandatory
Optional
N/A
N/A
N/A
format
The format in which the logs will be exported
Optional
Optional
N/A
N/A
N/A
read-mode
The mode in which the log files will be read and exported
Optional
Optional
N/A
N/A
N/A
enabled
Allow log_exporter to start on cpstart/mdsstart
Optional
Optional
N/A
N/A
N/A
encrypted
Using TLS (SSL) encryption for exporting the logs
Optional
Optional
N/A
N/A
N/A
ca-cert
Full path to the CA pem certificate file Relevant only when encrypted is true
Optional
Optional
N/A
N/A
N/A
client-cert
Full path to the client p12 certificate file Relevant only when encrypted is true
Optional
Optional
N/A
N/A
N/A
client-secret
The challenge phrase that was used in order to create the client p12 certificate Relevant only when encrypted is true
Optional
Optional
N/A
N/A
N/A
filter-action-in
Exporting all logs with a specific action. value should be surrounded by "" and multiple values are supported separated by a comma.
Optional
Optional
N/A
N/A
N/A
filter-origin-in
Exporting all logs from a specific origin. value should be surrounded by "" and multiple values are supported separated by a comma.
Optional
Optional
N/A
N/A
N/A
filter-blade-in
Exporting all logs that belong to a specific blade. value should be surrounded by "" and multiple values are supported separated by a comma.
Predefined blade families can be selected (TP, Access, Endpoint, Mobile).
Optional
Optional
N/A
N/A
N/A
--apply-now
Applying any change that was done in the add immediately
Optional
Optional
Mandatory
N/A
Mandatory
export-link
Add a field to the exported log that represents a link to SmartView that shows the log card
Optional
Optional
N/A
N/A
N/A
export-attachment-link
Add a field to the exported log that represents a link to SmartView that shows the log card and automatically opens the attachment
Optional
Optional
N/A
N/A
N/A
export-link-ip
Make the above 2 links use a customized IP (e.g. for NATed log server)
Optional
Optional
N/A
N/A
N/A
export-attachment-ids
Add a field to the exported log that represents the id of log's attachment (if exists)
Optional
Optional
N/A
N/A
N/A
Note: Using filter-action-in\filter-origin-in\filter-blade-in will replace any other filter that was pre declared on these fields directly in the filtering XML. Other fields filters will not be overridden.
TLS Configuration
How to set a secured connection between the log exporter and the syslog server.
The only allowed authentication method via TLS is mutual authentication. For mutual authentication log exporter will need the following certificates:
A pem Certificate Authority (CA) certificate (should contain only the certificate of CA that signed the client/server certificates, not the parent CA).
A .p12 format client certificate.
If you do not already have the required certificates, you can follow the procedure below.
The following procedure is an example of creating the required certificates. You have alternative procedures for achieving this.
Important Note: The below openssl commands need to be run on a 3rd party CA server. (Not on the Log Exporter machine) The commands are not supported on a Check Point Security Management server/Multi-Domain Management server.
Note: CA server needs to be routable from log exporter device.
Create Self Signed CA
Run this in case you do not already have a trusted CA pem:
You will be prompted to provide information regarding the certificate. This information is known as a Distinguished Name (DN). An important field in the DN is the Common Name(CN), which should be the exact Fully Qualified Domain Name (FQDN) of the host that you intend to use the certificate with. Apart from the Common Name all other fields are optional and can be skipped. If you are purchasing an SSL certificate from a certificate authority, it is often required that these additional fields, such as "Organization", accurately reflect your organization's details.
Here is an example of what the prompt will look like:
---
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:MyCity
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:MyDepartment
Common Name (e.g. server FQDN or YOUR name) []:www.company.com
Email Address []:
Note: It is recommended to use the device IP address as the Common Name.
After deploying a new instance of log exporter, all related files to that deployment can be found under $EXPORTERDIR/targets/<deployment name>
On an MDS/MLM server, EXPORTERDIR environment variable is per domain, and its value is changed automatically when switching between domain server contexts with the mdsenv command.
Target Configuration XML
The target configuration file, located under each deployment folder: $EXPORTERDIR/targets//targetConfiguration.xml
Note: You must restart the log exporter process for the new setting to take effect.
Listed below are some of the configuration options:
Parameter
Description
Possible/Default Values
<version></version>
Current Log Exporter version - used for upgrades.
<is_enabled></is_enabled>
Determines whether or not the process will be monitored by the watch dog.
true/false
Destination Parameters
Parameter
Description
Possible/Default Values
type
Reserved for future use.
<ip></ip>
The IP address or DNS name (when the protocol is TCP only) of the target that will receive the logs
Any IPv4 address or DNS name.
<port></port>
The port on which the target is listening to.
Any valid port number.
<protocol></protocol>
The protocol that will be used in the connection.
UDP / TCP
Security Parameters
Discussed in more detail in the "TLS Configuration" section.
Parameter
Description
Possible/Default Values
<security></security>
Determines weather or not the connection will be sent in clear text or encrypted.
clear [default] / tls
<pem_ca_file></pem_ca_file>
The location of the root CA pem file.
<p12_certificate_file></p12_certificate_file>
The location of the client key pair in p12 format.
The challenge phrase that was used in order to create the p12 certificate. Will be hashed after after restarting the process .
Source Parameters
Parameter
Description
Possible/Default Values
<folder></folder>
The path where the log files are located.
Default location is $FWDIR/log/.
<log_files></log_files>
Determines which log files will be exported & how far back.
read logs from [number] - (default=1) days back (recommended) | <specific file name> | on-line (no value=on-line)
<log_types></log_types>
Determines which log files (by extension) will be exported.
All [default] / log / audit
<read_mode></read_mode>
Determines how the log files will be read.
raw [default] | semi-unified (recommended for splunk format)
Resolver Parameters
Parameter
Description
Possible/Default Values
<mappingConfiguration></mappingConfiguration>
The XML file containing the log field mapping scheme. If left empty will use the default settings.
Default values are based on the 'format'.
<exportAllFields>true</exportAllFields>
When this field is set to 'true' all log fields will be sent regardless of whether or not they appear in the mapping scheme, , except for specifically black-listed fields in the relevant log format mapping file (<exported>false</exported>).
When set to 'false' only those fields which appear in the relevant log format mapping file will be sent (with exported flag true: <exported>true</exported>)
true / false
Format Parameters
Parameter
Description
Possible/Default Values
<formatHeaderFile></formatHeaderFile>
The XML file contains the log header format scheme. If left empty will use the default settings.
Default values are based on the 'format'.
General Filter Configuration Path
Parameter
Description
Possible/Default Values
<dynamicFilter></dynamicFilter>
The XML file containing the filtering configuration. If left empty, default Configuration will be used.
Default path is conf/FilterConfiguration.xml
SmartView links parameters
Parameter
Description
Possible/Default Values
export_log_link
Add a field to the exported log that represents a link to SmartView that shows the log card.
True/False [default]
export_attachment_link
Add a field to the exported log that represents a link to SmartView that shows the log card and automatically opens the attachment.
True/False [default]
export_link_ip
Make the above 2 links use a customized IP (e.g. for NATed log server).
IPv4 / empty [default]
Filter out firewall connections Parameters
The Log Exporter solution supports several filtering options, as detailed in the section above. In this section, we will go over each option.
Filters logs based on blade
In the current release, we have a limited blade related filtering. This functionality will be expanded upon in future releases.
You can filter out firewall connection logs ('Firewall-1 & VPN-1', 'HTTPS Inspection' and 'Security Gateway/Management').
Parameter
Description
Possible/Default Values
<filter filter_out_by_connection="false">
Determines if the Access logs should be filtered out.
When set to 'true' VPN-1 & Firewall-1 connection logs will be filtered out
Note: No other blade filters are currently supported. This will be expanded upon in future releases.
true / false
Note: Firewall session logs will still be exported (Generated by tracking a firewall rule by per Session).
Limitation: HTTPS inspection logs, Non-rulebase generated Firewall logs & a few Firewall NAT update logs will still be exported.
Format Configuration XML
Note: Please do not edit the original xxxFormatDefinition.xml files. Copy the file to a different file name and modify the copied file while leaving the original intact. After done modifying the file, refer to it in <formatHeaderFile> element in the exporter's targetConfiguration.xml.
The escape functionality will replace the string that's encapsulated by the 'orig' tags with the one encapsulated by the 'escaped' tags
\ --> \\
" --> \"
--> ' '
] --> \]
| --> ;
= --> \=
--> ' '
\ --> \\
= --> \=
--> ' '
| --> \|
= --> \=
--> ' '
| --> ;
= --> \=
--> ' '
\ --> \\
" --> '
--> ' '
Header
Parameter
Description
Default values for syslog
Default values for Splunk
Default values for CEF
Default values for LogRhythm
<header_format></header_format>
The delimeter between the header values and the number of values. Every {} will be replaced with one value.
' ' (space)
time={}|hostname={}|
|
LOGV2 {}|
Field Mapping Configuration XML
Note: Please do not edit the original xxxFieldsMapping.xml files. Copy the file to a different file name and modify the copied file while leaving the original intact. After done modifying the file, refer to it in <mappingConfiguration> element in the exporter's targetConfiguration.xml.
Parameter
Description
Values
<table>
Some fields will appear in tables depending on the log format. This information can be found in the elg log - one entry for every new field. A field can appear in multiple tables, each distinct instance is considered as a new field.
<exported></exported>
[optional] You can filter out specific fields by using the 'exported' true/false tag in the mapping configuration file. Alternatively, if the 'exportAllFields' tag in the 'targetConfiguration.xml' file is set to false, only those fields which are listed in the mapping file will be exported. Note: this parameter can also be configured on a table field level to allow / prevent its export when it the field is part of a table.
true \ false
<origName></origName>
The name of the field that will be mapped to <dstName>. refer to
Log Fields Mapping for Advanced Fields Configuration
<dstName></dstName>
The new mapping scheme name for the desired field.
<required></required>
[optional] When set to 'true' only logs which contain this field will be exported.
Declare a single field filter that will participate in the filter group.
name: The name of the field to filter on.
operator: Declares the operator (and \ or) between the various declared operations.
operation: Declares the matching logic regarding the declared value.
value: the specific value to filter on. Multiple values for a single operation is supported and should be added as a separate row.
operator[and / or]
operation[eq - equal / neq - not equal /gt - greater than / lt - less than ]
Filtering Logic:
The filtering feature allows to decide which logs will be exported based on values from the various fields on the raw log.
for example, export all logs from a specific origin (Security Gateway), or export all Threat prevention logs, or export all logs that are not from a specific source.
The filtering can be declared both from cp_log_export command, or by editing the filtering configuration file manually.
Note: cp_log_export filtering flags include only the action, blade and origin fields. Manual editing allows filtering on all supported fields.
The syntax for cp_log_export usages:
cp_log_export set name <name> filter-action-in "value1,value2"
cp_log_export set name <name> filter-origin-in "value1,value2"
cp_log_export set name <name> filter-blade-in "value2"
Example of filter by raw field names of severity:"High" or "Critical" & blade/product:"IPS" or "Threat Emulation":
Example of filter by mapped field names of cp_severity: "High" or "Critical" & blade/product: "IPS" or "Threat Emulation", for CEF format (severity -> cp_severity):
* The name of the field to filter on should be either the mapped name or the original raw name regardless the changes in the mapping XML.
* The value of the field to filter on should always be the raw field values. For instance, in order to filter logs from a certain Gateway (origin) you should provide the IP of the Gateway and not its name.
The predefined families for "product" field (filter-blade-in) are :
TP for exporting Threat Prevention logs only (Anti-Bot,Anti Malware,Threat Emulation,IPS,IPS-1,SmartDefense,Anti-Virus,New Anti Virus,Anti-Spam and Email Security,Threat Extraction,MTA).
Access for exporting Access logs only (Security Gateway/Management,VPN-1 & FireWall-1,Firewall,Application Control,URL Filtering,Content Awareness,Connectra,Mobile Access,Compliance blade,Core,DDoS Protector,Identity Awareness,Identity Logging,UA WebAccess).
Mobile for exporting Mobile logs only (WIFI Network,Mobile App,OS Exploits,Device,Network Security,Cellular Network,Network Access,iOS Profiles,Text Message,On-device Network Protection).
EndPoint for exporting Endpoint logs only (Anti-Bot,Anti Malware,Threat Emulation,IPS,IPS-1,SmartDefense,Anti-Virus,New Anti Virus,Anti-Spam and Email Security,Threat Extraction,MTA ).
The relation between the values of the same operation is only OR.
Example:
cp_log_export set name <target-name> filter-action-in "accept,drop"
Only logs with action = "accept" OR action= "drop" will be exported.
Filtering is not supported for any of the following fields : time, category, UUID,appi_name ,app_desc, app_category, matched_category, app_properties, app_rule_name, HTTPS_inspection_rule_name, cvpn_resource, cvpn_category, name, desc, properties.
Filtering on a certain field with the condition: "not equal(value1) OR not equal(value2)" is not supported. When editing the filtering XML make sure to have a maximum of one line of "neq" operation in each field.
Log Fields Mapping for Advanced Fields Configuration
Check Point Infinity solution includes multiple log fields, representing the diversity of Check Point's products. The log fields mapping will help you understand security threats, logs language, complex queries and SIEM.
For information on Check Point's Log Fields Mapping, refer to: sk144192.
SIEM Specific instruction
How to configure SIEM applications to optimally receive logs.
Rsyslog is not configured to use RFC5424 timestamp format by default, therefore you should manually change Rsyslog setting for it to be compliant with Log Exporter output format.
On the syslog server:
1. Open /etc/rsyslog.conf
2. If there’s an uncommented line: “$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat”, comment it.
3. Add the following line: $ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format
4. Save and close the file.
5.Restart Rsyslog: service rsyslog restart
ArcSight
It is recommended by ArcSight to name the certificate 'syslog-ng'
1. Convert the key to p12 format: openssl pkcs12 -inkey syslogServer.key -in syslogServer.crt -export -out syslog-ng.p12 -name "syslogng-alias" -password pass:changeit
2. make sure the environment variable ARCSIGHT_HOME to be the connector install directory:
Run the certificates manager on the Linux KDE console: ARCSIGHT_HOME/current/bin/arcsight agent keytoolgui
From the File menu open the keystore: $ARCSIGHT_HOME/current/jre/lib/security/cacerts (password "changeit").
From the menu select "Import Trusted Certificate"
From the file dialog, select ca.pem and save it.
Save and close the certificate manager.
Edit the agent.properties file to enable mutual authentication by:
vi $ARCSIGHT_HOME//current/user/agent/agent.properties
1. Delete OPSEC application object from the GUI, if it is the only use for the OPSEC application, or alternatively remove the LEA client entity from it if it’s not :
2. If this is the only OPSEC LEA client ( otherwise skip this step) - Configure $FWDIR/conf/fwopsec.conf to not allow LEA: Comment out those lines:
From:
#
lea_server auth_port 18184
lea_server port 0
#
---->
To:
#
# lea_server auth_port 18184
# lea_server port 0
#
3. Install the log exporter according to the installation guide above.
Transition from CPLogToSyslog to Log exporter
Recommended method to move from the existing CPLogToSyslog to the new log exporter.
Logs are not exported after adding a filter to FilterConfiguration.xml or by using the cp_log_export command.
cp_log_export adds the default values to FilterConfiguration.xml, while the field names should be same as the exported name. It causes the filter mechanism to not match any log.
Go to the relevant XXXFieldsMapping.xml and look for the relevant mapped field.
Find the element named <dstName> and copy it.
Open <exporter-dir>/conf/FilterConfiguration.xml and replace the field name to the previously copied one.
Assigning a field in FieldsMapping file as export false, but keep exporting the field. For example : When the user assign for the field layer_uuid export=false, but he keeps seeing this field as part of the log in the log Server.
The field is part of a table in the log, and the standard configuration to filter out field is not effective on a table field.
In order to prevent these fields from been exported, you need to:
Go to $EXPORTERDIR/targets/<exporter_name>/conf/
Modify the 'Fields Mapping' file you use (in accordance with the format you export), look for the following tag: <tableName>match_table</tableName>
If not exist, add inside 'fields' tag the following lines:
If you want to change this environment, you must first consult with your Check Point partner or vendor. This release is built for the specific environment. Upgrades or other changes can overwrite Hotfix functionality and environment customizations.
When exporting logs from a certain domain using UDP protocol, the exported log's header will contain the MDS IP and not the CMA/CLM's IP.
loguid - Some checkpoint logs are updated over time. Update logs will have the same loguid value. Checkpoint SmartLog client will correlate those updates into a single unified log.
When sending update logs to 3rd party (SIEM) servers, in the default raw read-mode, they will arrive as distinct logs. Best use the semi-unified read-mode, which will send few instances of the log, but each instance will contain the entire event chain until this update. Admins can alternatively use the loguid field to correlate update logs and get the full event chain themselves.
Note: All related log & log-updates will share the same initial time as the 1st log (in semi-unified mode).
Example of update logs includes the total amount of bytes sent and received over time or the severity field which will be updated over time as more information becomes available.
hll_key - hll_key stands for High-Level Log key. This concept was introduced in R80.10, where Multiple connection logs can comprise one session with one shared hll_key. For example, when browsing a webpage you might have multiple connection logs which are related to the same session. Connection logs which are part of the same session will share the same hll_key value.
Syslog-NG Listener configuration
When configuring a source on a Syslog NG server it is recommended to use the syslog-protocol flag.
For example: source s_network { network(transport(“tcp”) port(514) flags(syslog-protocol) ); };
Splunk Listener configuration
It is recommended to add these time settings to your sourcetype:
The Log Exporter solution doesn't work with the OPSEC LEA connector. Instead, you must install ArcSight Syslog-NG connector.
ArcSight Common Event Format (CEF) Mapping
CEF is an extensible, text-based format designed to support multiple device types by offering the most relevant information. Message syntaxes are reduced to work with ESM normalization. Specifically, CEF defines a syntax for log records comprised of a standard header and a variable extension, formatted as key-value pairs. The CEF format can be used with on-premise devices by implementing the ArcSight Syslog SmartConnector. CEF can also be used by cloud-based service providers by implementing the SmartConnector for ArcSight Common Event Format REST.
CEF Header format
Version
Device Vendor
Device Product
Device Version
Device Event Class ID
Name
Severity
Default
CEF:0
Check Point
Log Update
Check Point
Log
Log
0
Values
-
-
Product Name (Blade)
-
Attack Name
Protection Type
Verdict
Matched Category
DLP Data Type
Application Category
Application Properties
Protection Name
Application Name
Message Info
Service ID
Service
Application Risk
Risk
Severity
QRadar Log Event Extended Format (LEEF) Mapping
The Log Event Extended Format (LEEF) is a customized event format for IBM Security QRadar.
LEEF Header format
LEEF:Version
Vendor
Product
Version
EventID
Default
LEEF:2.0
Check Point
Log Update
1.0
Check Point Log
Values
-
-
Product Name (Blade)
-
Protection Name
Application Name
Action
Note: The time format is not compliant with the official LEEF format.
Until such a time as IBM will add support for epoch time format Log Exporter with LEEF format is only partially supported.
Note: Takes listed in the table below are related to the Log Exporter take and not the Jumbo take.
Oct 13, 2020
Updated Known Limitation section
Aug 19, 2020
Updated the Installation section
Jul 06, 2020
Edited R80.30 installation section
Jun 09, 2020
Changed note to: Audit logs exist on every Log Server
Apr 13, 2020
Updated Limitation for Filtering Configuration section
Feb 19, 2020
Updated to Check_Point_R80.20_JHF_T118_Log_Exporter_Enhancements_T5_sk122323_FULL.tgz which fixed an issue with ds.conf when installing on top of R80.20 Jumbo HF Take_118.
Jan 19, 2020
Added scenario to Troubleshooting section
Jan 1, 2020
Added LogRhythm format for R80.20 on top of JHF T118 and R80.30 on top of JHF T111.
Dec 12, 2019
Added Troubleshooting section.
Oct 2, 2019
Added SmartView links For R80.20 on top of Jumbo Hotfix Accumulator Take_103
July 8, 2019
Added "Log Fields Mapping for Advanced Fields Configuration" section
Issue ID
Description
take 51 (April 14, 2019)
SL-1822
Installation of R80_10_JHF_LOGOUT fails because of the script updateExistingExporters.sh when there are no exporters in the server.
take 50 (March 5, 2019)
SL-2003
Added filtering support. Now you can decide which logs to export.
Take 43 (January 20, 2019)
PMTR-13842
Added support for exporting logs to the new Check Point's Splunk application.
SL-1817
Log Exporter was getting stuck after 7 hours of uptime
SL-1932
Log Exporter could not be installed on top of R80.10 Jumbo HF Take_169 and above.