Log Exporter Advanced Configuration in CLI

Advanced method for creating and modifying Log Exporter targets.

Syntax:

cp_log_export <Command-Name> [<Command-Arguments>]

To see a built-in help for a specific command:

cp_log_export <Command-Name> help

Commands

Name

Description

add

Configures a new Check Point Log Exporter.

cp_log_export add name <Name> target-server <Target-Server> target-port <Target-Server-Port> protocol {udp | tcp} [Optional Arguments]

delete

Removes an existing Log Exporter.

cp_log_export delete name <Name>

reexport

Resets the current log position and exports all logs again based on the configuration.

cp_log_export reexport name <Name> --apply-now

cp_log_export reexport name <Name> start-position <Position of Last Exported Log> --apply-now

cp_log_export reexport name <Name> start-position <Position of Gap Start> end-position <Position of Gap End> --apply-now

restart

Restarts a Log Exporter process.

cp_log_export restart name <Name>

set

Updates an existing Log Exporter configuration.

cp_log_export set name <Name> [<Optional Arguments>]

show

Shows the current Log Exporter configuration.

cp_log_export show [<Optional Arguments>]

start

Starts an existing Log Exporter process.

cp_log_export start name <Name>

status

Shows a Log Exporter overview status.

cp_log_export status [<Optional Arguments>]

stop

Stops an existing Log Exporter process.

cp_log_export stop name <Name>

Command Arguments

Name

Description

Required

for "add"

command

Required

for "set"

command

Required

for "delete"

command

Required for

"reconf"

command

Required for

"restart",

"show", "status",

"start", "stop"

command

Required

for "reexport"

command

--apply-now

Applies immediately any change that was done with the "add", "set", "delete", or "reexport" command.

Optional

Mandatory

N / A

Mandatory

ca-cert <Path>

Specifies the full path to the CA certificate file *.pem.

Important - Applicable only when the value of the "encrypted" argument is "true".

Optional

N / A

client-cert <Path>

Specifies the full path to the client certificate *.p12.

Important - Applicable only when the value of the "encrypted" argument is "true".

Optional

N / A

client-secret <Phrase>

Specifies the challenge phrase used to create the client certificate *.p12.

Important - Applicable only when the value of the "encrypted" argument is "true".

Optional

N / A

domain-server {mds | all}

On a Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., specifies the applicable Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. context.

On a Multi-Domain Log Server Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS., specifies the applicable Domain Log Server Dedicated Check Point server that runs Check Point software to store and process logs. context.

Important:

"mds" (in small letters) - Exports all logs from only the main MDS level.
"all" (in small letters) - Exports all logs from all Domains.

Mandatory

N / A

Optional

Mandatory

enabled {true | false}

Specifies whether to allow the Log Exporter to start when you run the "cpstart" or "mdsstart" command.

Default: true

Optional

N / A

encrypted {true | false}

Specifies whether to use TSL (SSL) encryption to send the logs.

Default: false

Optional

N / A

end-position <Position>

Specifies the end position, up to which to export the logs.

N / A

Optional

export-attachment-ids {true | false}

Specifies whether to add a field to the exported logs that represents the ID of log's attachment (if exists).

Default: false‎

Optional

N / A

export-attachment-link {true | false}

Specifies whether to add a field to the exported logs that represents a link to SmartView that shows the log card and automatically opens the attachment.

Default: false

Optional

N / A

export-link {true | false}

Specifies whether to add a field to the exported logs that represents a link to SmartView that shows the log card.

Default: false

Optional

N / A

export-link-ip {true | false}

Specifies whether to make the links to SmartView use a custom IP address (for example, for a Log Server behind NAT).

Important - Applicable only when the value of the "export-link" argument is "true", or the value of the "export-attachment-link" argument is "true".

Default: false

Optional

N / A

export-log-position {true | false}

Specifies whether to export the log's position.

Default: false

Optional

N / A

filter-action-in {"Action1","Action2",... | false}

Specifies whether to export all logs that contain a specific value in the "Action" field.

Each value must be surrounded by double quotes ("").

Multiple values are supported and must be separated by a comma without spaces.

To see all valid values:

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to the Logs & Monitor view and open the Logs tab.
In the top query field, enter action: and a letter.

Examples of values:

Accept
Block
Bypass
Detect
Drop
HTTPS Bypass
HTTPS Inspect
Prevent
Reject

Important - This parameter replaces any other filter configuration that was declared earlier on this field directly in the filtering XML file. Other field filters are not overwritten.

Optional

N / A

filter-blade-in {"Blade1","Blade2",... | false}

Specifies whether to export all logs that contain a specific value in the "Blade" field (the object name of the Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. that generated these logs).

Each value must be surrounded by double quotes ("").

Multiple values are supported and must be separated by a comma without spaces.

To see all valid values:

In SmartConsole, go to the Logs & Monitor view and open the Logs tab.
In the top query field, enter blade: and a letter.

Examples of values:

Anti-Bot
Firewall
HTTPS Inspection
Identity Awareness
IPS

Valid Software Blade families:

Access
TP
Endpoint
Mobile

Important - This parameter replaces any other filter configuration that was declared earlier on this field directly in the filtering XML file. Other field filters are not overwritten.

‎

Optional

N / A

filter-origin-in {"Origin1","Origin2",... | false}

Specifies whether to export all logs that contain a specific value in the "Origin" field (the object name of the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster Member Security Gateway that is part of a cluster. that generated these logs).

Each origin value must be surrounded by double quotes ("").

Multiple values are supported and must be separated by a comma without spaces.

Important - This parameter replaces any other filter configuration that was declared earlier on this field directly in the filtering XML file. Other field filters are not overwritten.

‎

Optional

N / A

format {generic | cef | json | leef | logrhythm | rsa | splunk | syslog}

Specifies the format, in which the logs are exported.

Default: syslog

Optional

N / A

name "<Name>"

Specifies the unique name of the Log Exporter configuration.

Notes:

Allowed characters are: Latin letters, digits ("0-9"), minus ("-"), underscore ("_"), and period (".").
Must start with a letter.
The minimum length is two characters.
The "add" command creates a new target directory with the specified unique name in the $EXPORTERDIR/targets/ directory.

Mandatory

Optional.

By default, applies to all.

Optional.

By default, applies to all.

Mandatory

protocol {tcp | udp}

Specifies the Layer 4 Transport protocol to use (TCP or UDP).

There is no default value.

Mandatory

Optional

N / A

read-mode {raw | semi-unified}

Specifies the mode, in which to read the log files.

raw - Specifies to export log records without any unification.
semi-unified - Specifies to export log records with step-by-step unification. That is, for each log record, export a record that unifies this record with all previously-encountered records with the same ID.

Default: semi-unified

Default: raw

Optional

N / A

reconnect-interval {<Number> | default}

Specifies the interval (in minutes) after which the Log Exporter must connect again to the target server after the connection is lost.‎

To disable, enter the value "default".

There is no default value.

Optional

N / A

start-position <Position>

Specifies the start position, from which to export the logs.

N / A

Optional

target-port <Target-Server-Port>

Specifies the listening port on the target server, to which you export the logs.

Mandatory

Optional

N / A

target-server <Target-Server>

Specifies the IP address or FQDN of the target server, to which you export the logs.

Mandatory

Optional

N / A

time-in-milli {true | false}

Specifies whether to export logs with the time resolution in milliseconds.

Requires Security Gateways R81 and higher.

Default: false

Optional

N / A