Deployment of Log Exporter in CLI

Basic Deployment of Log Exporter in CLI

Note - For basic deployment in SmartConsole, see Deployment of Log Exporter in SmartConsole.

Syntax for R77.30 and higher:

cp_log_export add name <Name> [domain-server {mds | all}] target-server <HostName or IP address of Target Server> target-port <Port on Target Server> protocol {udp | tcp} format {syslog | splunk | cef | leef | generic | json | logrhythm | rsa} [<Optional Arguments>]

Important:

  • The "domain-server" argument is mandatory on a Multi-Domain Security Management Server / Multi-Domain Log Server.

    • mds (in small letters) - Exports logs from only the MDS level.

    • all (in small letters) - Exports logs from all Domains.

  • The "target-server" argument can use either the target server IP address or its FQDN.

  • The above command creates a new target directory with the unique name specified in the "name" parameter in the $EXPORTERDIR/targets/ directory, and configures the target parameters with the connection details: IP Address, port, protocol, format, and read-mode.

  • By default, logs are exported in clear text. To export logs using an encryption, see Advanced Deployment of Log Exporter in CLI.

  • The Log Exporter daemon does not start automatically.

    To start it, run:

    cp_log_export restart

Advanced Deployment of Log Exporter in CLI

CLI Syntax

cp_log_export <CLI Command> [<CLI Parameters>]

To see the built-in help, run:

cp_log_export <CLI Command> help

CLI Commands

Important - After you change the configuration of a Log Exporter instance, you must restart it:

cp_log_export restart name <Name>

Name

Description

add

Deploys a new Log Exporter instance.

Syntax:

cp_log_export add name <Name> [domain-server {mds | all}] target-server <HostName or IP address of Target Server> target-port <Port on Target Server> protocol {udp | tcp} format {syslog | splunk | cef | leef | generic | json | logrhythm | rsa} [<Optional Arguments>]

set

Updates an existing Log Exporter instance configuration.

Syntax:

cp_log_export set name <Name> [<Optional Arguments>]

delete

Removes an existing Log Exporter instance.

Syntax:

cp_log_export delete name <Name>

show

Prints the current configurations of the existing Log Exporter instances.

Syntax:

cp_log_export show [<Optional Arguments>]

status

Prints the overview statuses of the existing Log Exporter instances.

Syntax:

cp_log_export status [<Optional Arguments>]

start

Starts the Log Exporter instance.

Syntax:

cp_log_export start name <Name>

stop

Stops the Log Exporter instance.

Syntax:

cp_log_export stop name <Name>

reconf

Applies the Log Exporter configuration to all existing Log Exporter instances, or to a specified Log Exporter instance.

Syntax:

cp_log_export reconf [name <Name>]

restart

Restarts the Log Exporter instance.

You must rung this command after you change the configuration of a Log Exporter instance.

Syntax:

cp_log_export restart name <Name>

reexport

Resets the current read position and re-exports all logs per the Log Exporter instance configuration.

Syntax to reexpot immediately:

cp_log_export reexport name <Name> --apply-now

Syntax to reexpot from a last exported position:

cp_log_export reexport name <Name> start-position <Position of Last Exported Log> --apply-now

Syntax to reexpot from a specific position and until a specific position:

cp_log_export reexport name <Name> start-position <Position of Gap Start> end-position <Position of Gap End> --apply-now

For example:

  • On a Security Management Server.

    cp_log_export reexport name <LogExporter Name> start-position 1715222525 end-position 1715243317 --apply-now

  • On a Multi-Domain Security Management Server:

    cp_log_export reexport name <LogExporter Name> domain-server <MyDomain> start-position 1715222525 end-position 1715243317 --apply-now

CLI Parameters

Parameter Name

Description

add

set

delete

reconf

show,

status,

start,

stop,

restart

reexport

name <Name>

Specifies a unique name for the Log Exporter configuration.

  • Allowed characters are: Latin letters, digits ("0-9"), minus ("-"), underscore ("_"), and period (".").

  • Must start with a letter.

  • The minimum length is two characters.

Mandatory

Mandatory

Mandatory

Optional

 

Default is "all"

Optional

 

Default is "all"

Mandatory

domain-server {mds | all}

  • On a Multi-Domain Server, specifies the applicable Domain Management Server context.

  • On a Multi-Domain Log Server, specifies the applicable Domain Log Server context.

Mandatory

Mandatory

Mandatory

N / A

Optional

 

Default is "all"

Mandatory

target-server <Target-Server>

Specifies the IP address or FQDN of the target server, to which you export the logs.

Mandatory

Optional

N / A

N / A

N / A

N / A

target-port <Target-Server-Port>

Specifies the listening port on the target server, to which you export the logs.

Mandatory

Optional

N / A

N / A

N / A

N / A

protocol {tcp | udp}

Specifies the transport protocol to use (TCP or UDP).

Mandatory

Optional

N / A

N / A

N / A

N / A

format {generic | cef | json | leef | logrhythm | rsa | splunk | syslog}

Specifies the format, in which the logs are exported.

Default: syslog

Optional

Optional

N / A

N / A

N / A

N / A

read-mode {raw | semi-unified}

Specifies the mode, in which to read the log files.

Default:

  • semi-unified - In R81 and higher

  • raw - In R80.40 and lower

Optional

Optional

N / A

N / A

N / A

N / A

enabled {true | false}

Specifies whether to allow the Log Exporter to start when you run the cpstart or mdsstart command.

Default: true

Optional

Optional

N / A

N / A

N / A

N / A

encrypted {true | false}

Specifies whether to use TLS (SSL) encryption to send the logs.

Default: false

Optional

Optional

N / A

N / A

N / A

N / A

ca-cert <Path>

Specifies the full path to the CA certificate file *.pem.

Applicable only when the value of 'encrypted' is 'true'.

Optional

Optional

N / A

N / A

N / A

N / A

client-cert <Path>

Specifies the full path to the client certificate *.p12.

Applicable only when the value of 'encrypted' is 'true'.

Optional

Optional

N / A

N / A

N / A

N / A

client-secret <Phrase>

Specifies the challenge phrase used to create the client certificate *.p12.

Applicable only when the value of 'encrypted' is 'true'.

Optional

Optional

N / A

N / A

N / A

N / A

filter-action-in {"Action1","Action2",... | false}

Specifies whether to export all logs that contain a specific value in the "Action" field.

  • Each value must be surrounded by double quotes ("").

  • Multiple values are supported and must be separated by a comma without spaces.

To see all valid values:

  1. In SmartConsole, go to the Logs & Monitor view and open the Logs tab.

  2. In the top query field, enter action: and a letter.

Optional

Optional

N / A

N / A

N / A

N / A

filter-origin-in {"Origin1","Origin2",... | false}

Specifies whether to export all logs that contain a specific value in the "Origin" field (the object name of the Security Gateway / Cluster Member that generated these logs).

  • Each origin value must be surrounded by double quotes ("").

  • Multiple values are supported and must be separated by a comma without spaces.

Optional

Optional

N / A

N / A

N / A

N / A

filter-blade-in {"Blade1","Blade2",... | false}

Specifies whether to export all logs that contain a specific value in the "Blade" field (the object name of the Software Blade that generated these logs).

  • Each value must be surrounded by double quotes ("").

  • Multiple values are supported and must be separated by a comma without spaces.

To see all valid values:

  1. In SmartConsole, go to the Logs & Monitor view and open the Logs tab.

  2. In the top query field, enter blade: and a letter.

Valid Software Blade families:

  • Access

  • TP

  • Endpoint

  • Mobile

Optional

Optional

N / A

N / A

N / A

N / A

--apply-now

Applies immediately any change that was done with the "add", "set", "delete", or "reexport" command.

Optional

Optional

Mandatory

N / A

N / A

Mandatory

export-link {true | false}

Specifies whether to add a field to the exported logs that represents a link to SmartView that shows the log card.

Default: false

Optional

Optional

N / A

N / A

N / A

N / A

export-attachment-link {true | false}

Specifies whether to add a field to the exported logs that represents a link to SmartView that shows the log card and automatically opens the attachment.

Default: false

Optional

Optional

N / A

N / A

N / A

N / A

export-link-ip {true | false}

Specifies whether to make the links to SmartView use a custom IP address (for example, for a Log Server behind NAT).

Applicable only when the value of the "export-link" argument is "true", or the value of the "export-attachment-link" argument is "true".

Default: false

Optional

Optional

N / A

N / A

N / A

N / A

export-attachment-ids {true | false}

Specifies whether to add a field to the exported logs that represents the ID of log's attachment (if exists).

Default: false

Supported on Management Servers / Log Servers R81 and higher.

Optional

Optional

N / A

N / A

N / A

N / A

reconnect-interval {<Number> | default}

Specifies the interval (in minutes) after which the Log Exporter must connect again to the target server after the connection is lost.

  • To disable, enter the value "default".

  • There is no default value.

Supported on Management Servers / Log Servers R81.10 and higher.

Optional

Optional

N / A

N / A

N / A

N / A

export-log-position {true | false}

Specifies whether to export the log's position.

Default: false

Supported on Management Servers / Log Servers R81.10 and higher.

Optional

Optional

N / A

N / A

N / A

N / A

time-in-milli {true | false}

Specifies whether to export logs with the time resolution in milliseconds.

Default: false

 

Management Servers / Log Servers / Security Gateways support this feature in these versions:

  • R81 and higher

  • R80.40 Jumbo Hotfix Accumulator, Take 53 and higher

Prerequisite on the Security Gateways:

  1. Connect to the command line on the Security Gateway / each Cluster Member / Scalable Platform Security Group.

  2. Log in.

  3. If you default shell is Gaia Clish / Gaia gClish, then go to the Expert mode:

    expert

  4. To enable this feature, run this script with the value "1":

    Note - This command restarts the FWD process (for details about this process, see sk97638).

    • On the the Security Gateway / each Cluster Member:

      $FWDIR/scripts/enable_disable_time_in_milli.sh 1

    • On the Scalable Platform Security Group:

      g_all $FWDIR/scripts/enable_disable_time_in_milli.sh 1

    To disable the feature, run the script with the value "0".

Optional

Optional

N / A

N / A

N / A

N / A

Important - Using the "filter-action-in", "filter-origin-in", or "filter-blade-in" replaces any other filter configuration that was declared earlier on these fields directly in the filtering XML. Other field filters are not overridden.