Advanced Configuration

After deploying a new instance of Log Exporter, all related files to that deployment are located in this directory:

$EXPORTERDIR/targets/<Name of Log Exporter Configuration>

Notes:

  • You must restart the Log Exporter instance for the new settings to take effect.

    Run the "cp_log_export restart" command.

  • On a Multi-Domain Security Management Server / Multi-Domain Log Server, the environment variable "$EXPORTERDIR" exists in each Domain, and its value is changed automatically when you switch between context of Domains with the "mdsenv" command.

Target Configuration File

The Log Exporter configuration for the target server is saved in this file:

$EXPORTERDIR/targets/<Name of Log Exporter Configuration>/targetConfiguration.xml

These are some configuration options:

Parameter

Description

Valid / Default Values

<version></version>

The current Log Exporter version - used for upgrades.

 

<is_enabled></is_enabled>

Determines whether the process is monitored by the watch dog.

  • true

  • false

Destination Parameters

Parameter

Description

Valid / Default Values

type

Reserved for future use

 

<ip></ip>

The IP address or FQDN of the target server

Any IPv4 address or FQDN

<port></port>

The port on which the target server is listening

Any valid port number

<protocol></protocol>

The Layer 4 protocol to use

TCP or UDP

<reconnect_interval></reconnect_interval>

Determines how frequently to start the connection to the target server after it is lost

Number of minutes

Security Parameters

For more information, see TLS Configuration.

Parameter

Description

Valid / Default Values

<security></security>

Determines whether the connection data is sent in clear text or encrypted.

  • clear (clear text - this is the default)

  • tls (encrypted)

<pem_ca_file></pem_ca_file>

The location of the root Certificate Authority PEM file.

 

<p12_certificate_file></p12_certificate_file>

The location of the client key pair in the P12 format.

 

<client_certificate_challenge_phrase></client_certificate_challenge_phrase>

The challenge phrase that was used to create the P12 certificate.

The value is hashed after restarting the process.

 

Source Parameters

Parameter

Description

Valid / Default Values

<folder></folder>

The path where the log files are located

The default location is $FWDIR/log/

<log_files></log_files>

Determines which log records to export or how far back to read the log records from the $FWDIR/log/fw.log file

  • <Number>

    Reads logs from the specific number (default=1) of days back (recommended)

  • <Specific File Name>

    Reads logs from the specified file

  • on-line

  • If no value is specified, uses 'on-line'

<log_types></log_types>

Determines which logs to export based on their type

  • all (default)

  • log

  • audit

<read_mode></read_mode>

Determines whether to export complete logs or only their delta.

  • semi-unified (default in R81 and higher)

  • raw

Resolver Parameters

Parameter

Description

Valid / Default Values

<mappingConfiguration></mappingConfiguration>

Configures the XML file that contains the log field mapping scheme.

If left empty, uses the default settings.

Default values are based on the 'format'.

<exportAllFields>true</exportAllFields>

When this field is set to 'true', all log fields are sent regardless of whether they appear in the mapping scheme, except for specifically black-listed fields in the relevant log format mapping file (<exported>false</exported>).

When this field is set to 'false', only those fields which appear in the relevant log format mapping file are sent (with exported flag set to 'true': <exported>true</exported>)

  • true

  • false

Format Parameters

Parameter

Description

Valid / Default Values

<formatHeaderFile></formatHeaderFile>

Configures the XML file that contains the log header format scheme.

If left empty, uses the default settings.

Default values are based on the 'format'.

General Filter Configuration Path

Parameter

Description

Valid / Default Values

<dynamicFilter></dynamicFilter>

Configures the XML file that contains the filtering configuration.

If left empty, uses the default settings.

The default path is:

conf/FilterConfiguration.xml

SmartView links parameters

Parameter

Description

Valid / Default Values

export_log_link

Adds a field to the exported log that represents a link to SmartView that shows the log card.

  • true

  • false (default)

export_attachment_link

Adds a field to the exported log that represents a link to SmartView that shows the log card and automatically opens the attachment.

  • true

  • false (default)

export_link_ip

Makes the 'export_log_link' and the 'export_attachment_link' use a customized IP address (for example, for a Log Server behind NAT).

  • empty (default)

  • IPv4 Address

Parameters to filter out the Security Gateway connections

This configuration allows Log Exporter instance to filter out the Security Gateway traffic logs for several Software Blades ('Firewall-1 & VPN-1', 'HTTPS Inspection' and 'Security Gateway/Management').

Note - Security Gateway session logs are still exported (generated by tracking a Security Gateway rule per session).

Parameter

Description

Valid / Default Values

<filter filter_out_by_connection="false">

Determines whether to filter out the access logs.

Note - No other Software Blade filters are currently supported. This is planned in future releases.

  • true

    filters out the connection logs

  • false

Important - HTTPS Inspection logs, Security Gateway logs generated not from rules, and a few NAT update logs are still exported.

Configuration After an Upgrade

If you customized your configuration files in the Log Exporter instance, then after upgrade, you will not get the updated configuration of the latest version.

To get the latest configuration files, do these steps:

  1. Edit the targetConfiguration.xml file.

  2. Delete the path of new configuration from the file.

  3. Restart the Log Exporter instance.