Advanced Configuration Post Deployment

Configuring Log Exporter without using the deployment script.

After deploying a new instance of Log Exporter, all related files to that deployment can be found under $EXPORTERDIR/targets/<deployment name>.

On an Multi-Domain Server / Multi-Domain Log Server server, the EXPORTERDIR environment variable is per domain. The value is changed automatically when you switch between domain server contexts with the mdsenv command.

Target Configuration XML

The target configuration file, located under each deployment folder: $EXPORTERDIR/targets//targetConfiguration.xml

Note - You must restart the Log Exporter process for the new setting to take effect.

These are some of the configuration options:

Parameter	Description	Possible/Default Values
<version></version>	Current Log Exporter version - used for upgrades
<is_enabled></is_enabled>	Determines if the process is monitored by the watch dog	true/false

Destination Parameters

Parameter	Description	Possible/Default Values
type	Reserved for future use
<ip></ip>	The IP address of the target that receives the logs	Any IPv4 address
<port></port>	The port on the target	Any valid port number
<protocol></protocol>	The protocol used in the connection	UDP/TCP

Security Parameters

These are discussed in more detail in TLS Configuration.

Parameter	Description	Possible/Default Values
<security></security>	Determines if the connection is sent in clear text or encrypted	clear [default] / tls
<pem_ca_file></pem_ca_file>	The location of the root CA pem file
<p12_certificate_file></p12_certificate_file>	The location of the client key pair in p12 format
<client_certificate_challenge_phrase></client_certificate_challenge_phrase>	The challenge phrase used to create the p12 certificate. It is hashed when the Log Exporter is started or restarted.

Source Parameters

Parameter	Description	Possible/Default Values
<folder></folder>	The path where the log files are located	Default location is `$FWDIR/log/`
<log_files></log_files>	Determines which log files are exported	on-line\| read logs from [number - default=1] days back (recommended) \| specific file name
<log_types></log_types>	Determines which log file types (by extension) are exported	`All [default] / log / audit`

Resolver Parameters

Parameter	Description	Possible/Default Values
<mappingConfiguration></mappingConfiguration>	The XML file that contains the log field mapping scheme. Uses the default settings if left empty.	Default values are based on the format
<exportAllFields>true</exportAllFields>	When this field is set to `true,` all log fields are sent regardless of whether or not they appear in the mapping scheme. The exception is for fields that are specifically black listed in the relevant log format mapping file (with exported flag false): <reported>false</exported> When set to `false,` only those fields which appear in the relevant log format mapping file are sent (with exported flag true: `<exported>true</exported>)`	true/false

Parameter

Description

Possible/Default Values

The XML file that contains the log field mapping scheme. Uses the default settings if left empty.

Default values are based on the format

When this field is set to true, all log fields are sent regardless of whether or not they appear in the mapping scheme. The exception is for fields that are specifically black listed in the relevant log format mapping file (with exported flag false): <reported>false</exported>

When set to false, only those fields which appear in the relevant log format mapping file are sent (with exported flag true: <exported>true</exported>)

true/false

Format Parameters

Parameter	Description	Possible/Default Values
<formatHeaderFile></formatHeaderFile>	The XML file that contains the log header format scheme. Uses the default settings if left empty.	Default values are based on the format

Filters Parameters

The Log Exporter solution supports a basic filtering ability that allows you to not export firewall connections logs. All other logs are exported.

Parameter	Description	Possible/Default Values
<filter filter_out_by_connection="false">	Determines if the Access logs should be filtered out. When set to `true,` VPN-1 & Firewall-1 logs are filtered out (HTTPS Inspections logs are still exported). Note - These are the only blade filters currently supported.	true/false

Parameter

Description

Possible/Default Values

Determines if the Access logs should be filtered out.

When set to true, VPN-1 & Firewall-1 logs are filtered out (HTTPS Inspections logs are still exported).

Note - These are the only blade filters currently supported.

true/false

Format Configuration XML

Body

Parameter	Description	Syslog	CEF	LEEF	Generic
<start_message_body></start_message_body>	The character that precedes the log data payload	[
<end_message_body></end_message_body>	The character that follows the log data payload	]
<message_separator></message_separator>	The delimeter that separates logs	( =='\n')	('\n')	('\n')	('\n')
<fields_separatator></fields_separatator>	The delimeter that separates log fields	'; ' (semi colon, space)	' ' (space)	(<TAB>)	' ' (space)
<field_value_separatator></field_value_separatator>	The assignment operator	:	=	=	=
<value_encapsulation_start>"</value_encapsulation_start>	The value encapsulation operator (start)	"		"	"
<value_encapsulation_start>"</value_encapsulation_start>	The value encapsulation operator (end)	"		"	"
<escape_chars> <char> <orig></orig> <escaped></escaped> </char> </escape_chars>	To escape unwanted characters The escape functionality replaces the string that is encapsulated by the `orig` tags with the string encapsulated by the `escaped` tags	\ --> \\ " --> \" --> ' ' ] --> \]	\ --> \\ = --> \= --> ' ' \| --> \\|	= --> \= --> ' '	\ --> \\ " --> ' --> ' '

Header

Parameter	Description	Default values for syslog	Default values for CEF
<header_format></header_format>	The delimeter between the header values and the number of values. Every {} is replaced with one value.	' ' (space)	\|

Field Mapping Configuration XML

Parameter	Description	Possible/ Default Values
<table>	Some fields appear in the tables based on the log format. This information can be found in the `elg` log - one entry for every new field. A field can appear in multiple tables. Each distinct instance is considered a new field.
<exported></exported>	Optional - You can use the exported true/false tag in the mapping configuration file to filter out specific fields. Alternatively, if the 'exportAllFields' tag in the 'targetConfiguration.xml' file is set to `false`, only those fields which are listed in the mapping file are exported.	true/false
<origName></origName>	The name of the field that is mapped to <dstName>
<dstName></dstName>	The new mapping scheme name for the desired field.
<required></required>	Optional - When set to `true,` only logs that contain this field are exported.	true/false