Log Exporter is a multi-threaded daemon service, running on a Management Server / Log Server. The Log Exporter daemon reads each log, transforms it into the desired format and mapping, and sends it to the configured target. Therefore, we recommend to deploy the Log Exporter on every server that contains logs to be exported.
On a Multi-Domain Security Management Server / Multi-Domain Log Server, if the Log Exporter is deployed on several Domains, each Domain Management Server has its Log Exporter daemon . If you are exporting the logs to several targets, each target have its Log Exporter daemon.
The Log Exporter is implemented as the "ETL" procedure:
Extract - Reads incoming logs from the Security Gateway, stored in local files.
Transform - Changes the logs according to configuration files (both exported format and field name/values, removing irrelevant fields).
Load - Sends the logs to the configured target server over the TCP Syslog / UDP Syslog (takes into consideration the filter configuration, if it exists).
Data integrity - Log Exporter stops exporting when disconnected from the 3rd party server and remembers the last position exported. After the connection is established again, the Log Exporter automatically starts exporting logs from the last known position.
The Log Exporter is exporting both online and offline (if any) logs in parallel. In case the 3rd party server is slow, the Log Exporter reduces the offline exporting rate to prioritize the online logs over the offline logs.
Install this Log Exporter package on an R77.30 server - Multi-Domain Server, Multi-Domain Log Server, Security Management Server, Log Server, or SmartEvent Server.
cp_log_export add name <Name> [domain-server {mds | all}] target-server <HostName or IP address of Target Server> target-port <Port on Target Server> protocol {udp | tcp} format {syslog | splunk | cef | leef | generic | json | logrhythm | rsa} [<Optional Arguments>]
Important Notes:
The "domain-server" argument is mandatory on a Multi-Domain Security Management Server / Multi-Domain Log Server.
mds (in small letters) - Exports logs from only the MDS level.
all (in small letters) - Exports logs from all Domains.
The "target-server" argument can use either the target server IP address or its FQDN.
The above command creates a new target directory with the unique name specified in the "name" parameter in the $EXPORTERDIR/targets/ directory, and configures the target parameters with the connection details: IP Address, port, protocol, format, and read-mode.
By default, logs are exported in clear text. To export logs using an encryption, see the section "Advanced Deployment - Additional Commands".
The Log Exporter daemon does not start automatically.
To start it, run:
cp_log_export restart
Advanced Deployment - Additional Commands
Advanced parameters for creating / modifying log exporters / targets
Deploys a new Log Exporter instance. Syntax: cp_log_export add name <Name> [domain-server {mds | all}] target-server <HostName or IP address of Target Server> target-port <Port on Target Server> protocol {udp | tcp} format {syslog | splunk | cef | leef | generic | json | logrhythm | rsa} [<Optional Arguments>]
set
Updates an existing Log Exporter instance configuration. Syntax: cp_log_export set name <Name> [<Optional Arguments>]
delete
Removes an existing Log Exporter instance. Syntax: cp_log_export delete name <Name>
show
Prints the current configurations of the existing Log Exporter instances. Syntax: cp_log_export show [<Optional Arguments>]
status
Prints the overview statuses of the existing Log Exporter instances. Syntax: cp_log_export status [<Optional Arguments>]
start
Starts the Log Exporter instance. Syntax: cp_log_export start name <Name>
stop
Stops the Log Exporter instance. Syntax: cp_log_export stop name <Name>
reconf
Applies the Log Exporter configuration to all existing Log Exporter instances, or to a specified Log Exporter instance. Syntax: cp_log_export reconf [name <Name>]
restart
Restarts the Log Exporter instance. Syntax: cp_log_export restart name <Name>
reexport
Resets the current read position and re-exports all logs per the Log Exporter instance configuration. Syntax:
cp_log_export reexport name <Name> --apply-now
cp_log_export reexport name <Name> start-position <Position of Last Exported Log> --apply-now
cp_log_export reexport name <Name> start-position <Position of Gap Start> end-position <Position of Gap End> --apply-now
Parameters
Enter the string to filter this table:
Parameter Name
Description
add
set
delete
reconf
show, status, start, stop, restart
reexport
name <Name>
Specifies a unique name for the Log Exporter configuration.
Allowed characters are: Latin letters, digits ("0-9"), minus ("-"), underscore ("_"), and period (".").
Must start with a letter.
The minimum length is two characters.
Mandatory
Mandatory
Mandatory
Optional Default is "all"
Optional Default is "all"
Mandatory
domain-server {mds | all}
On a Multi-Domain Server, specifies the applicable Domain Management Server context.
On a Multi-Domain Log Server, specifies the applicable Domain Log Server context.
Mandatory
Mandatory
Mandatory
N/A
Optional Default is "all"
Mandatory
target-server <Target-Server>
Specifies the IP address or FQDN of the target server, to which you export the logs.
Mandatory
Optional
N/A
N/A
N/A
N/A
target-port <Target-Server-Port>
Specifies the listening port on the target server, to which you export the logs.
Mandatory
Optional
N/A
N/A
N/A
N/A
protocol {tcp | udp}
Specifies the transport protocol to use (TCP or UDP).
Specifies whether to export all logs that contain a specific value in the "Origin" field (the object name of the Security Gateway / Cluster Member that generated these logs).
Each origin value must be surrounded by double quotes ("").
Multiple values are supported and must be separated by a comma without spaces.
Optional
Optional
N/A
N/A
N/A
N/A
filter-blade-in {"Blade1","Blade2",... | false}
Specifies whether to export all logs that contain a specific value in the "Blade" field (the object name of the Software Blade that generated these logs).
Each value must be surrounded by double quotes ("").
Multiple values are supported and must be separated by a comma without spaces.
To see all valid values:
In SmartConsole, go to the Logs & Monitor view and open the Logs tab.
In the top query field, enter blade: and a letter.
Valid Software Blade families:
Access
TP
Endpoint
Mobile
Optional
Optional
N/A
N/A
N/A
N/A
--apply-now
Applies immediately any change that was done with the "add", "set", "delete", or "reexport" command.
Optional
Optional
Mandatory
N/A
N/A
Mandatory
export-link {true | false}
Specifies whether to add a field to the exported logs that represents a link to SmartView that shows the log card. Default: false
Optional
Optional
N/A
N/A
N/A
N/A
export-attachment-link {true | false}
Specifies whether to add a field to the exported logs that represents a link to SmartView that shows the log card and automatically opens the attachment. Default: false
Optional
Optional
N/A
N/A
N/A
N/A
export-link-ip {true | false}
Specifies whether to make the links to SmartView use a custom IP address (for example, for a Log Server behind NAT). Applicable only when the value of the "export-link" argument is "true", or the value of the "export-attachment-link" argument is "true". Default: false
Optional
Optional
N/A
N/A
N/A
N/A
export-attachment-ids {true | false}
Specifies whether to add a field to the exported logs that represents the ID of log's attachment (if exists). Default: false Supported on Management Servers / Log Servers R81 and higher.
Optional
Optional
N/A
N/A
N/A
N/A
reconnect-interval {<Number> | default}
Specifies the interval (in minutes) after which the Log Exporter must connect again to the target server after the connection is lost.
To disable, enter the value "default".
There is no default value.
Supported on Management Servers / Log Servers R81.10 and higher.
Optional
Optional
N/A
N/A
N/A
N/A
export-log-position {true | false}
Specifies whether to export the log's position. Default: false Supported on Management Servers / Log Servers R81.10 and higher.
Optional
Optional
N/A
N/A
N/A
N/A
time-in-milli {true | false}
Specifies whether to export logs with the time resolution in milliseconds. Default: false Supported on Management Servers / Log Servers R81 and higher.
Optional
Optional
N/A
N/A
N/A
N/A
Important Note - Using the 'filter-action-in' / 'filter-origin-in' / 'filter-blade-in' replaces any other filter configuration that was declared earlier on these fields directly in the filtering XML. Other field filters are not overridden.
Advanced Configuration After the Deployment
Modifying Log Exporter instance configuration without using the deployment script
After deploying a new instance of Log Exporter, all related files to that deployment can be found in: $EXPORTERDIR/targets/<Name of Log Exporter Configuration>
On a Multi-Domain Security Management Server / Multi-Domain Log Server, the environment variable EXPORTERDIR exists in each Domain, and its value is changed automatically when you switch between context of Domains with the "mdsenv" command.
Note - You must restart the Log Exporter instance for the new settings to take effect. Run the "cp_log_export restart" command.
If you customized your configuration files in the log exporter instance, then after upgrade, you will not get the updated configuration of the latest version. To get the latest configuration files, do these steps:
1. Go to targetConfiguration.xml
2. Delete the path of new configuration from the file.
3. Restart the log exporter instance.
Target Configuration XML
The Log Exporter configuration for the target server is saved in: $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/targetConfiguration.xml
These are some configuration options:
Parameter
Description
Valid / Default Values
<version></version>
The current Log Exporter version - used for upgrades.
<is_enabled></is_enabled>
Determines whether the process is monitored by the watch dog.
true
false
Destination Parameters
Parameter
Description
Valid / Default Values
type
Reserved for future use
<ip></ip>
The IP address or FQDN of the target server
Any IPv4 address or FQDN
<port></port>
The port on which the target server is listening
Any valid port number
<protocol></protocol>
The Layer 4 protocol to use
TCP or UDP
<reconnect_interval></reconnect_interval>
Determines how frequently to start the connection to the target server after it is lost
Number of minutes
Security Parameters
Discussed in more detail in the "TLS Configuration" section.
Parameter
Description
Valid / Default Values
<security></security>
Determines whether the connection data is sent in clear text or encrypted.
clear (clear text - this is the default)
tls (encrypted)
<pem_ca_file></pem_ca_file>
The location of the root Certificate Authority PEM file.
<p12_certificate_file></p12_certificate_file>
The location of the client key pair in the P12 format.
The challenge phrase that was used to create the P12 certificate. The value is hashed after restarting the process.
Source Parameters
Parameter
Description
Valid / Default Values
<folder></folder>
The path where the log files are located
The default location is $FWDIR/log/
<log_files></log_files>
Determines which log records to export or how far back to read the log records from the $FWDIR/log/fw.log file
<Number> - reads logs from the specific number (default=1) of days back (recommended)
<Specific File Name> - reads logs from the specified file
on-line
If no value is specified, uses 'on-line'
<log_types></log_types>
Determines which logs to export based on their type
all (default)
log
audit
<read_mode></read_mode>
Determines whether to export complete logs or only their delta.
semi-unified (default since R81)
raw
Resolver Parameters
Parameter
Description
Valid / Default Values
<mappingConfiguration></mappingConfiguration>
Configures the XML file that contains the log field mapping scheme. If left empty, uses the default settings.
Default values are based on the 'format'.
<exportAllFields>true</exportAllFields>
When this field is set to 'true', all log fields are sent regardless of whether they appear in the mapping scheme, except for specifically black-listed fields in the relevant log format mapping file (<exported>false</exported>).
When this field is set to 'false', only those fields which appear in the relevant log format mapping file are sent (with exported flag set to 'true': <exported>true</exported>)
true
false
Format Parameters
Parameter
Description
Valid / Default Values
<formatHeaderFile></formatHeaderFile>
Configures the XML file that contains the log header format scheme. If left empty, uses the default settings.
Default values are based on the 'format'.
General Filter Configuration Path
Parameter
Description
Valid / Default Values
<dynamicFilter></dynamicFilter>
Configures the XML file that contains the filtering configuration. If left empty, uses the default settings.
The default path is: conf/FilterConfiguration.xml
SmartView links parameters
Parameter
Description
Valid / Default Values
export_log_link
Adds a field to the exported log that represents a link to SmartView that shows the log card.
true
false (default)
export_attachment_link
Adds a field to the exported log that represents a link to SmartView that shows the log card and automatically opens the attachment.
true
false (default)
export_link_ip
Makes the 'export_log_link' and the 'export_attachment_link' use a customized IP address (for example, for a Log Server behind NAT).
empty (default)
IPv4 Address
Parameters to filter out the Security Gateway connections
This configuration allows Log Exporter instance to filter out the Security Gateway traffic logs for several Software Blades ('Firewall-1 & VPN-1', 'HTTPS Inspection' and 'Security Gateway/Management').
Note - Security Gateway session logs are still exported (generated by tracking a Security Gateway rule per session).
Parameter
Description
Valid / Default Values
<filter filter_out_by_connection="false">
Determines whether to filter out the access logs.
Note: No other Software Blade filters are currently supported. This is planned in future releases.
true (filters out the connection logs)
false
Limitation: HTTPS Inspection logs, Security Gateway logs generated not from rules, and a few NAT update logs are still exported.
Every format has its own predefined format configuration file that configures the format of the exported logs, the delimiters, fields that are part of the header, and so on.
These files are located in: $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/conf/*FormatDefinition.xml
Note: Do not edit the original *FormatDefinition.xml files. Doing so causes a data loss after an upgrade. Instead, create a copy of the file and modify the copied file, while leaving the original intact. After modifying the copied file, refer to it (using a full path) in the <formatHeaderFile> element in the relevant targetConfiguration.xml file.
The escape functionality replaces the string that's encapsulated by the 'orig' tags with the one encapsulated by the 'escaped' tags
;\ --> \\
" --> \"
--> ' '
] --> \]
| --> ;
= --> \=
--> ' '
= --> \=
--> ' '
;\ --> \\
= --> \=
--> ' '
| --> \|
= --> \=
--> ' '
| --> ;
= --> \=
--> ' '
\ --> \\
" --> '
--> ' '
Header
Parameter
Description
Default values<br/ >for Syslog
Default values<br/ >for Splunk
Default values<br/ >for RSA
Default values<br/ >for CEF
Default values<br/ >for LogRhythm
<header_format></header_format>
The delimiter between the header values and the number of values. Every {} is replaced with one value.
' ' (space)
time={}|hostname={}|
<134>
| ;
LOGV2 {}|
Notes:
To add a constant string to the header, add the string to the <header_format> tag value.
To add a new field to the header, add a new header format replacement string (for example: {}) to the <header_format> and add the relevant information in the <headers> tag.
Every format has its own predefined fields configuration file that allow to change the name / value of the exported field, filter out irrelevant fields, and so on.
These files are located under each deployment directory: $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/conf/*FieldsMapping.xml
Note: Do not edit the original *FieldsMapping.xml files. Doing so causes a data loss after an upgrade. Instead, create a copy of the file and modify the copied file, while leaving the original intact. After modifying the copied file, refer to it (using a full path) in the <mappingConfiguration> element in the relevant targetConfiguration.xml file.
Parameter
Description
Values
<table>
Some fields appear in tables depending on the log format. This information can be found in the ELG log - one entry for every new field. A field can appear in multiple tables, each distinct instance is considered as a new field.
<exported></exported>
Optional. You can filter out specific fields by using the 'exported' tag (value: true, or false) in the mapping configuration file. Alternatively, if the 'exportAllFields' tag in the 'targetConfiguration.xml' file is set to 'false', only those fields which are listed in the mapping file are exported.
Note - This parameter can also be configured on a table field level to allow / prevent its export when the field is part of a table.
true
false
<origName></origName>
The name of the field to be mapped to <dstName>.
Refer to Log Fields Mapping for Advanced Fields Configuration.
<dstName></dstName>
The new mapping scheme name for the desired field.
<required></required>
Optional. When set to 'true', only logs which contain this field are exported.
How to set a secured connection between the Log Exporter and the Syslog server
Log Exporter can export logs over an encrypted connection using the TLS protocol.
When using TLS, it is important to know that only mutual authentication is allowed.
For mutual authentication, the Log Exporter needs these certificates:
CA certificate (in the PEM format) that signed both the client (Log Exporter side) and server (syslog server side) certificates
Client certificate (in the P12 format) on the Management Server / Log Server with Log Exporter
Notes:
The Management Server / Log Server with Log Exporter must be able to connect to CA.
In addition to these two certificates, a third certificate should be installed on the Syslog server (based on the server requirement). It is also possible to use self-signed certificates.
The procedure below uses the openssl commands on a non-Check Point server.
You are prompted to provide information regarding the certificate. Apart from the Common Name (it is recommended to use the device IP address as the Common Name), all other fields are optional and can be skipped. If you are purchasing an SSL certificate from a certificate authority, it often requires these additional fields.
Note: Several SIEM applications require the Server certification to be in a specific format. For more information, refer to the section "SIEM Specific instructions".
The Log Exporter can filter logs based on the field values.
Because field mapping operation is done before the actual filtering, make sure to use the dst name / value of the fields, if configured specifically in the *FieldsMapping.xml file (based on the format). Otherwise, use the name / value as written in the raw log file.
It is possible to configure what to export or what not to export.
The filter configuration file is located in: $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/conf/FilterConfiguration.xml
Parameter
Description
Valid / Default Values
<filterGroup operator=""></filterGroup>
A group of fields that determine what to export.
There can be only one such parameter in the FilterConfiguration.xml file.
The relation between the fields is determined by the operator value.
Refer to Log Fields Mapping for Advanced Fields Configuration.
Declare a single field filter that participates in the filter group.
name - The name of the field to filter on.
operator - Declares the operator (and / or) between the various declared operations.
operation - Declares the matching logic regarding the declared value.
value - The specific value to filter on. Multiple values for a single operation is supported and should be added as a separate row.
operator[and | or]
operation[eq - equal | neq - not equal | gt - greater than | lt - less than ]
These are the ways to configure the filtering feature:
Configuration Method
Description
Using the cp_log_export command
This command configures filtering for Action / Blade / Origin fields only.
The syntax is (must NOT contain spaces between the values):
cp_log_export set name <name> filter-action-in "value1,value2"
cp_log_export set name <name> filter-origin-in "value1,value2"
cp_log_export set name <name> filter-blade-in "value1,value2"
In addition, it is possible to use predefined families for "filter-blade-in" value:
Access - For exporting Access logs only (Security Gateway/Management, VPN-1 & FireWall-1, Firewall, Application Control, URL Filtering, Content Awareness, Connectra, Mobile Access, Compliance blade, Core, DDoS Protector, Identity Awareness, Identity Logging, UA WebAccess).
TP - For exporting Threat Prevention logs only (Anti-Bot, Anti-Malware, Threat Emulation, IPS, IPS-1, SmartDefense, Anti-Virus, New Anti-Virus, Anti-Spam and Email Security, Threat Extraction, MTA).
EndPoint - For exporting Endpoint logs only (Anti-Bot, Anti Malware, Threat Emulation, IPS, IPS-1, SmartDefense, Anti-Virus, New Anti-Virus, Anti-Spam and Email Security, Threat Extraction, MTA ).
Mobile - For exporting Mobile logs only (WIFI Network, Mobile App, OS Exploits, Device, Network Security, Cellular Network, Network Access, iOS Profiles, Text Message, On-device Network Protection).
Example:
cp_log_export set name <name> filter-blade-in Access,TP,EndPoint
Modifying the FilterConfiguration.xml file manually
The relation between the values of the same operation is only logical "OR".
Example:
cp_log_export set name <target-name> filter-action-in "accept,drop"
Only logs with action = "accept" OR action = "drop" are exported.
Filtering is not supported for any of these fields:
app_category
app_desc
app_properties
app_risk
app_rule_name
appi_name
category
cvpn_category
cvpn_resource
desc
HTTPS_inspection_rule_name
matched_category
name
properties
time
UUID
Filtering for a certain field with the a double "NOT" condition "not equal(value1) OR not equal(value2)" is not supported. When editing the filtering XML, make sure to have a maximum of one line of "neq" operation in each field.
Log Fields Mapping for Advanced Fields Configuration
Check Point Infinity solution includes multiple log fields, representing the diversity of Check Point's products. The log fields mapping helps you understand security threats, logs language, complex queries and SIEM.
For information on Check Point's Log Fields Mapping, refer to sk144192.
SIEM Specific instructions
How to configure SIEM applications to receive logs optimally.
By default, Rsyslog is not configured to use the RFC 5424 timestamp format. Therefore, you should manually change the Rsyslog setting for it to be compliant with the Log Exporter output format.
On the Rsyslog server:
Edit the /etc/rsyslog.conf file.
Comment out this line (add the # character in the beginning), if it is not commented out already:
Delete the OPSEC application object from SmartConsole R80.10 and higher / SmartDashboard R77.30, if you only use it for the OPSEC application. Alternatively, remove the LEA client entity from it, if you do not use it:
If this is the only OPSEC LEA client, configure the $FWDIR/conf/fwopsec.conf file (on the Check Point Management Server / Log Server) to not allow LEA (if this is not the only OPSEC LEA client, skip this step):
Change these lines:
From:
To:
#
lea_server auth_port 18184
lea_server port 0
#
#
#lea_server auth_port 18184
#lea_server port 0
#
Install the Log Exporter. See the Installation section.
Transition from CPLogToSyslog to Log Exporter
Recommended method to move from the existing CPLogToSyslog to the new log exporter.
Logs are not exported after adding a filter to the FilterConfiguration.xml file, or by using the cp_log_export command.
cp_log_export adds the default values to the FilterConfiguration.xml file, while the field names should be the same as the exported name. It causes the filter mechanism to not match any log.
In the relevant XXXFieldsMapping.xml file, look for the relevant mapped field.
Find the element named <dstName> and copy it.
Edit the <exporter-dir>/conf/FilterConfiguration.xml file.
Replace the field name to the previously copied one.
Assigning a field in the FieldsMapping file as export false, but keep exporting the field.
For example: When the user assign for the field "layer_uuid export=false", but he keeps seeing this field as part of the log in the Log Server.
The field is part of a table in the log, and the standard configuration to filter out a field is not effective on a table field.
To prevent these fields from been exported, you need to:
Go to the $EXPORTERDIR/targets/<exporter_name>/conf/ directory.
Edit the "Fields Mapping" file you use (that corresponds to the format you export).
Look for 'match_table' tag:
<tableName>match_table</tableName>
Add the required lines:
If the 'match_table' tag does not exist, add these lines inside the 'fields' tag:
If you want to change this environment, you must first consult your Check Point partner or vendor. This release is built for the specific environment. Upgrades or other changes can overwrite Hotfix functionality and environment customizations.
On a Multi-Domain Security Management Server / Multi-Domain Log Server, when exporting logs from a certain Domain using the UDP protocol, the exported log's header contains the IP address of the Multi-Domain Server and not the IP address of the Domain Management Server / Domain Log Server.
Log Exporter is only supported for Quantum appliances and not Quantum Spark. For Quantum Spark appliances, use the WebUI to set up a syslog server to send logs to.
Some Check Point logs are updated over time. Update logs have the same loguid value. Check Point SmartLog client correlates those updates into a single unified log.
When sending update logs to 3rd party (SIEM) servers, in raw read-mode, they arrive as distinct logs. Best use the semi-unified read-mode, which sends few instances of the log, but each instance contains the entire event chain until this update. Administrators can alternatively use the loguid field to correlate update logs and get the full event chain themselves.
Note: All related log & log-updates share the same initial time as the 1st log (in semi-unified mode).
Example of update logs includes the total number of bytes sent and received over time or the severity field which is updated over time as more information becomes available.
hll_key
Stands for High-Level Log key. This concept was introduced in R80.10, where Multiple connection logs can comprise one session with one shared hll_key.
For example, when browsing a webpage, you might have multiple connection logs which are related to the same session. Connection logs which are part of the same session share the same hll_key value.
Syslog-NG Listener configuration
When configuring a source on a Syslog NG server it is recommended to use the syslog-protocol flag.
The Log Exporter solution does not work with the OPSEC LEA connector. Instead, you must install the ArcSight Syslog-NG connector.
ArcSight Common Event Format (CEF) Mapping
CEF is an extensible, text-based format designed to support multiple device types by offering the most relevant information. Message syntaxes are reduced to work with ESM normalization. Specifically, CEF defines a syntax for log records comprised of a standard header and a variable extension, formatted as key-value pairs. The CEF format can be used with on-premise devices by implementing the ArcSight Syslog SmartConnector. CEF can also be used by cloud-based service providers by implementing the SmartConnector for ArcSight Common Event Format REST.
CEF Header format
Version
Device Vendor
Device Product
Device Version
Device Event Class ID
Name
Severity
Default
CEF:0
Check Point
Log Update
Check Point
Log
Log
0
Values
-
-
Product Name (Blade)
-
Attack Name
Protection Type
Verdict
Matched Category
DLP Data Type
Application Category
Application Properties
Protection Name
Application Name
Message Info
Service ID
Service
Application Risk
Risk
Severity
QRadar Log Event Extended Format (LEEF) Mapping
The Log Event Extended Format (LEEF) is a customized event format for IBM Security QRadar.
LEEF Header format
LEEF:Version
Vendor
Product
Version
EventID
Default
LEEF:2.0
Check Point
Log Update
1.0
Check Point Log
Values
-
-
Product Name (Blade)
-
Protection Name
Application Name
Action
Note: The time format is not compliant with the official LEEF format.
Until the time IBM adds support for Epoch time format, Log Exporter with LEEF format is only partially supported.
Improved the syntax description of the "reconf" sub-command
17 Oct 2022
Improved the syntax description and article formatting
18 Nov 2021
Known Limitations - Added Quantum Spark Appliances
26 Sep 2021
Improved the article formatting
15 Aug 2021
Updated that configuration in SmartConsole is available starting from R81
28 July 2021
Added the RSA and JSON formats
13 July 2021
Improved the article formatting
17 Mar 2021
Updated the description of existing functionalities
13 Oct 2020
Updated "Known Limitations" section
19 Aug 2020
Updated the "Installation" section
06 July 2020
Edited R80.30 installation section
09 June 2020
Changed the note to "Audit logs exist on every Log Server"
13 Apr 2020
Updated the "Limitations" in the "Filtering Configuration" section
19 Feb 2020
Updated to Check_Point_R80.20_JHF_T118_Log_Exporter_Enhancements_T5_sk122323_FULL.tgz which fixed an issue with ds.conf when installing on top of R80.20 Jumbo Hotfix Accumulator Take 118.
19 Jan 2020
Added a new scenario in the "Troubleshooting" section
01 Jan 2020
Added the LogRhythm format on top of R80.20 JHF Take 118 and on top of R80.30 JHF Take 111
12 Dec 2019
Added the "Troubleshooting" section
02 Oct 2019
Added SmartView links on top of R80.20 JHF Take 103
08 July 2019
Added the "Log Fields Mapping for Advanced Fields Configuration" section
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?