Log Attachments API
Log Attachments API provides an automated way to fetch log attachments. Each blade has its own type of attachments. For example, IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). logs contain packet captures, and Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. logs contain a summary report Summary of network activity and Security Policy enforcement that is generated by Check Point products, such as SmartEvent.. Logs are not usually exported with all their attachments to save traffic load.
Use Cases:
This feature is intended for users who:
-
Use Log Exporter to get log attachments in an external syslog system and use specific scripts in their automation process.
-
Use Log Exporter and do not have (or want to provide) SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. access to end users.
-
Use API for Logs.
Log Attachments API supports all gateway versions.
There are two different modes to fetch log attachments:
-
Log Exporter – Provides attachment ID.
-
API for Logs – Log ID provided in the results.
Log Exporter
Log Exporter exports logs to a third party SIEM and adds an identifier called log-attachment-id which represents all attachment IDs, separated by a space. Log Exporter has a new parameter which lets you export the attachment-id.
You get the identifier and use it to get a json response with the desired attachment. The json format contains encoded base64 data of the attachment and must be decoded and put in a specified destination folder so it can be used.
To get a log attachment using Log Exporter, run these commands:
-
cp_log_export set name <name> [domain-server <domain-server>] export-attachment-ids true
-
cp_log_export restart name <name> [domain-server <domain-server>
-
mgmt_cli get-attachment attachment-id ”<id from the exported log>
”
To disable Log Exporter from exporting attachment IDs, run these commands:
-
cp_log_export set name <name> [domain-server <domain-server>] export-attachment-ids false
-
cp_log_export restart name <name> [domain-server <domain-server>]
API for Logs
Run a query for logs on the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.. In the json response, there is a field “id” for each log in the response. After you have the log-id, run the log attachments API and get all the attachments for that log.
To get an attachment for one of the log results:
-
Use the management API to fetch logs:
Run:
mgmt_cli show-logs
-
Run:
mgmt_cli get-attachment id “<log id from the previous response>”