Troubleshooting
Troubleshooting Scenario 1
Symptoms
Logs are not exported after adding a filter to the FilterConfiguration.xml file, or by using the cp_log_export command.
Cause
"cp_log_export" adds the default values to the FilterConfiguration.xml file, while the field names should be the same as the exported name.
This causes the filter mechanism to not match any log.
Suggested Solution
-
In the relevant
<Format>FieldsMapping.xmlfile, look for the relevant mapped field. -
Find the element named
<dstName>and copy it. -
Edit the
$EXPORTERDIR/targets/<Name of Log Exporter Configuration>/conf/FilterConfiguration.xmlfile. -
Replace the field name to the previously copied one.
-
Restart the Log Exporter to load the new settings:
cp_log_export restart name <Name>
Troubleshooting Scenario 2
Symptoms
Configured a field in the <Format>FieldsMapping.xml file as 'export =false', but Log Exporter keeps exporting this field.
For example, you configured the field "layer_uuid export=false", but you keep seeing this field as part of the log on your Log Server.
Cause
The field is part of a 'table' in the log, and the standard configuration to filter out a field is not effective on a 'table' field.
Suggested Solution
To prevent these fields from been exported, you need to:
-
Go to the
$EXPORTERDIR/targets/<exporter_name>/conf/directory. -
Edit the "Fields Mapping" file you use (that corresponds to the format you export).
-
Look for the tag '
<tableName>match_table</tableName>'. -
Add the required lines:
-
If the '
<tableName>match_table</tableName>' tag does not exist, add these lines inside the '<fields' tag:<table> <tableName>match_table</tableName> <fields> <field> <origName>field_name</origName> <exported>false</exported> </field> </fields> </table> -
If the '
<tableName>match_table</tableName>' tag exists, add this line inside the '<fields>' tag:<table> <tableName>match_table</tableName> <fields> <field> <origName>field_name</origName> <exported>false</exported> </field> </fields> </table>
The file should look like this:
<fields> <!-- Filter out fields --> <field><origName>field_name1</origName><exported>false</exported></field> <field><origName>field_name2</origName><exported>false</exported></field> <field><origName>field_name3</origName><exported>false</exported></field> ... ... <table> <tableName>match_table</tableName> <fields> <field> ... </field> ... ... <field> <origName>field_name</origName> <exported>false</exported> </field> </fields> </table> <!-- End of filter out --> </fields> -
-
Save the change in the file and close it.
-
Restart the Log Exporter to load the new settings:
cp_log_export restart name <Name>
Troubleshooting Scenario 3
Symptoms
A SIEM application cannot parse logs correctly, in which the "Blade" field contains several Software Blades
Cause
The <Format>FieldsMapping.xml file does not contain the required configuration (Issue PMTR-113944)
SmartConsole / SmartView > Logs & Monitor view > Logs tab, may show logs from a Security Gateway that contain data from several Software Blades.
For such logs:
-
On the Logs tab, the column "Blade" shows "Multiple Blades".
-
The log card, in the "Log Info" section, field "Blade" shows the list of the relevant Software Blades.
Suggested Solution
To make sure the SIEM application that receives such logs can parse them correctly:
-
Create a copy of the relevant
<Format>FieldsMapping.xmlfile for your SIEM:-
For the "
CEF" format:$EXPORTERDIR/conf/CefFieldsMapping.xml -
For the "
LaaS" format:$EXPORTERDIR/conf/LaaSFieldsMapping.xml -
For the "
RSA" format:$EXPORTERDIR/conf/RsaFieldsMapping.xml -
For the "
Splunk" format:$EXPORTERDIR/conf/SplunkFieldsMapping.xml
-
-
Edit the relevant
<Format>FieldsMapping.xmlfile. -
Go to this section:
... ... <field> <origName>product</origName> <callback> <name>replace_value</name> <args> <args ... /> </args> </callback> </field> ... ...
-
For each list of relevant Software Blades, add the new "
<arg ... />" row and configure the value of the key called "key" to contain the names of the relevant Software Blades that are separated with the entity for the carriage return: 
Important - You must add as many "
<arg ... />" rows as the number of possible combinations of Software Blade names. -
Restart the Log Exporter to load the new settings:
cp_log_export restart name <Name>
Example:
In a log card, in the "Log Info" section, the field "Blade" shows two rows: QoS and Firewall.
Because there are two Software Blades, it is necessary to add these two rows in the relevant <Format>FieldsMapping.xml file:
... ... <arg key="VPN-1 & FireWall-1" value="Firewall"/> <arg key="VPN-1 & FireWall-1 FG" value="QoS & FireWall"/> <arg key="FG VPN-1 & FireWall-1" value="QoS & FireWall"/> ... ... |
Troubleshooting Scenario 4 (R81.20 only)
Symptoms
When creating new Log Exporter on the R81.20 Management Server, CefFieldsMapping.xml is not in the Log Exporter's "conf" directory.
Cause
In R81.20, the existing behavior aligns with the intended outcome. The XML files are exclusively located in the primary exporter directory, specifically within the $EXPORTERDIR/conf path.
Suggested Solution
To edit a file, create a copy from the $EXPORTERDIR/conf/ directory, make the necessary changes, and then update the Log Exporter's targetConfiguration.xml.
Troubleshooting Scenario 5 (R81.20 only)
Symptoms
After creating Log Exporter target in SmartConsole, the output of the "cp_log_export show command does not show the created Log Exporter target.
Cause
There is an issue with this file:
/var/opt/CPsuite-R81.20/fw1/conf/logExporters.json
Suggested Solution
-
Connect to the command line on the Management Server / Log Server.
-
Log in to the Expert mode.
-
Navigate to the configuration directory:
cd /var/opt/CPsuite-R81.20/fw1/conf/ -
Back up the existing
logExporters.jsonfile:mv -v logExporters.json{,_BKP} -
Go to SmartConsole and create a new Log Exporter.
-
Publish the session.
-
Install database (click > Install database > select all objects > click Install).
-
Verify if the new Log Exporter is visible:
cp_log_export show