Log Exporter Advanced Configuration Parameters

After deploying a new instance of Log Exporter, all configuration files for that deployment are located in this directory:

$EXPORTERDIR/targets/<Name of Log Exporter Configuration>/

Note - On a Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. / Multi-Domain Log Server Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS., the value of the environment variable EXPORTERDIR changes automatically when you switch between Domain server contexts with the mdsenv command.

Important:

You must restart the Log Exporter instance for the new settings to take effect.

Run the "cp_log_export restart" command.
For information on how to backup and restore your Log Exporter configuration, see sk127653.

You can configure specific parameters to control how Log Exporter exports the logs.

Target Server Configuration

The Log Exporter configuration for the target server is saved in this file:

$EXPORTERDIR/targets/<Name of Log Exporter Configuration>/targetConfiguration.xml

These are some of the configuration options:

Parameter	Description	Valid / Default Values
`<version></version>`	Current Log Exporter version - used for upgrades.
`<is_enabled></is_enabled>`	Determines if the Log Exporter process is monitored by the watch dog.	true false

Parameter

Description

Valid / Default Values

<version></version>

Current Log Exporter version - used for upgrades.

<is_enabled></is_enabled>

Determines if the Log Exporter process is monitored by the watch dog.

true

false

Destination Parameters

Parameter	Description	Valid / Default Values
`type`	Reserved for future use.
`<ip></ip>`	The IP address of the target server that receives the logs.	Any IPv4 address or FQDN
`<port></port>`	The port on the target.	Any valid port number
`<protocol></protocol>`	The protocol used in the connection.	TCP or UDP
`<reconnect_interval></reconnect_interval>`	Determines how frequently to start the connection to the target server after it is lost.	Number of minutes

Security Parameters

These are discussed in more detail in Log Exporter TLS Configuration.

Parameter	Description	Valid / Default Values
`<security></security>`	Determines if the connection is sent in clear text or encrypted.	`clear` - clear text (this is the default) `tls` - encrypted
`<pem_ca_file></pem_ca_file>`	The location of the root Certificate Authority certificate file in the PEM format.
`<p12_certificate_file></p12_certificate_file>`	The location of the client key pair in the P12 format.
`<client_certificate_challenge_phrase></client_certificate_challenge_phrase>`	The challenge phrase that was used to create the P12 certificate. The value is hashed when the Log Exporter is started or restarted.

Source Parameters

Parameter	Description	Valid / Default Values
`<folder></folder>`	The path where the log files are located.	Default location is `$FWDIR/log/`
`<log_files></log_files>`	Determines which log records to export or how far back to read the log records from the `$FWDIR/log/fw.log` file.	`<Number>` - reads logs from the specific number (default=1) of days back (recommended) `<Specific File Name>` - reads logs from the specified file `on-line` If no value is specified, uses '`on-line`'
`<log_types></log_types>`	Determines which logs to export.	`all` - Security and Audit (default) `log` - Security only `audit` - Audit only
`<read_mode></read_mode>`	Determines whether to export complete logs or only their delta.	`semi-unified` (default) `raw`

Resolver Parameters

Parameter	Description	Valid / Default Values
`<mappingConfiguration></mappingConfiguration>`	Configures the XML file that contains the log field mapping scheme. If left empty, uses the default settings.	Default values are based on the format
`<exportAllFields>true</exportAllFields>`	When this field is set to '`true`', all log fields are sent regardless of whether they appear in the mapping scheme, except for specifically black-listed fields in the relevant log format mapping file (`<exported>false</exported>`). When this field is set to '`false`', only those fields which appear in the relevant log format mapping file are sent (with exported flag set to '`true`': `<exported>true</exported>`)	`true` `false`

Parameter

Description

Valid / Default Values

<mappingConfiguration></mappingConfiguration>

Configures the XML file that contains the log field mapping scheme.

If left empty, uses the default settings.

Default values are based on the format

<exportAllFields>true</exportAllFields>

When this field is set to 'true', all log fields are sent regardless of whether they appear in the mapping scheme, except for specifically black-listed fields in the relevant log format mapping file (<exported>false</exported>).

When this field is set to 'false', only those fields which appear in the relevant log format mapping file are sent (with exported flag set to 'true': <exported>true</exported>)

true
false

Format Parameters

Parameter	Description	Valid / Default Values
`<formatHeaderFile></formatHeaderFile>`	Configures the XML file that contains the log header format scheme. If left empty, uses the default settings.	Default values are based on the format

Parameter

Description

Valid / Default Values

<formatHeaderFile></formatHeaderFile>

Configures the XML file that contains the log header format scheme.

If left empty, uses the default settings.

Default values are based on the format

SmartView Link Parameters

Parameter	Description	Valid / Default Values
`export_log_link`	Adds a field to the exported log that represents a link to SmartView that shows the log card.	`true` `false` (default)
`export_attachment_link`	Adds a field to the exported log that represents a link to SmartView that shows the log card and automatically opens the attachment.	`true` `false` (default)
`export_link_ip`	Makes the above two links use a customized IP address (for example, for a NATed Log Server Dedicated Check Point server that runs Check Point software to store and process logs.).	IPv4 address empty (default)

Filter Parameters

This configuration allows Log Exporter instance to filter out the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. traffic logs for several Software Blades (VPN-1 & Firewall-1, HTTPS Inspection, and Security Gateway/Management).

Note:

Security Gateway session logs are still exported (generated by tracking a Security Gateway rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. per session).
HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. logs, Security Gateway logs generated not from rules, and a few NAT update logs are still exported.

Parameter	Description	Valid / Default Values
`<filter filter_out_by_connection="false">`	Determines whether to filtered out the Access logs. When set to `true`, VPN-1 & Firewall-1 logs are filtered out (HTTPS Inspection logs are still exported). Note - These are the only Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. filters currently supported.	`true` `false`

Parameter

Description

Valid / Default Values

<filter filter_out_by_connection="false">

Determines whether to filtered out the Access logs.

When set to true, VPN-1 & Firewall-1 logs are filtered out (HTTPS Inspection logs are still exported).

Note - These are the only Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. filters currently supported.

true
false

Format Configuration

The Log Exporter format configuration is saved in these files:

$EXPORTERDIR/targets/<Name of Log Exporter Configuration>/conf/*FormatDefinition.xml

Important - Do not edit the original *FormatDefinition.xml files. Doing so causes a data loss after an upgrade. Instead, create a copy of the file and modify the copied file, while leaving the original intact. After modifying the copied file, refer to it (using a full path) in the <formatHeaderFile> element in the applicable targetConfiguration.xml file.

Body

Parameter	Description	Syslog	Splunk	CEF	LEEF	Generic	LogRhythm	RSA
`<start_message_body></start_message_body>`	The character that precedes the log data payload.	`[`
`<end_message_body></end_message_body>`	The character that follows the log data payload.	`]`
`<message_separator></message_separator>`	The delimeter that separates logs.	` ( =='\n')`	` ('\n')`	` ('\n')`	` ('\n')`	`('\n')`	` ('\n')`	` ('\n')`
`<fields_separatator></fields_separatator>`	The delimeter that separates log fields.	`'; '` (semi colon, space)	`\|` (pipe)	`' '` (space)	` ` (<TAB>)	`' '` (space)	`\|` (pipe)	`' '` (space)
`<field_value_separatator></field_value_separatator>`	The assignment operator.	`:`	`=`	`=`	`=`	`=`	`=`	`=`
`<value_encapsulation_start>"</value_encapsulation_start>`	The value encapsulation operator (start).	`"`			`"`	`"`
`<value_encapsulation_start>"</value_encapsulation_start>`	The value encapsulation operator (end).	`"`			`"`	`"`
`<escape_chars>` `<char>` `<orig></orig>` `<escaped></escaped>` `</char>` `</escape_chars>`	To escape unwanted characters. The escape functionality replaces the string that is encapsulated by the `orig` tags with the string encapsulated by the `escaped` tags.	`;\ --> \\` `" --> \"` ` --> ' '` `] --> \]`	`\| --> ;` `= --> \=` ` --> ' '`	`;\ --> \\` `= --> \=` ` --> ' '` `\| --> \\|`	`= --> \=` ` --> ' '`	`\ --> \\` `" --> '` ` --> ' '`	`\| --> ;` `= --> \=` ` --> ' '`	`= --> \=` ` --> ' '`

Header

Parameter	Description	Default values for sysl	Default values for CEF
`<header_format></header_format>`	The delimeter between the header values and the number of values. Every {} is replaced with one value.	' ' (space)	\|

Notes:

To add a constant string to the header, add the string to the <header_format> tag value.
To add a new field to the header, add a new header format replacement string (for example: {}) to the <header_format> tag and add the applicable information in the <headers> tag.

Field Mapping Configuration

Every format has its own predefined fields configuration file that allow to change the name / value of the exported field, filter out irrelevant fields, and so on.

The Log Exporter format configuration is saved in these files:

$EXPORTERDIR/targets/<Name of Log Exporter Configuration>/conf/*FieldsMapping.xml

Important - Do not edit the original *FieldsMapping.xml files. Doing so causes a data loss after an upgrade. Instead, create a copy of the file and modify the copied file, while leaving the original intact. After modifying the copied file, refer to it (using a full path) in the <formatHeaderFile> element in the applicable targetConfiguration.xml file.

Parameter	Description	Valid / Default Values
`<table>`	Some fields appear in the tables based on the log format. This information can be found in the `.elg` log file - one entry for every new field. A field can appear in multiple tables. Each distinct instance is considered a new field.
`<exported></exported>`	Optional You can use the exported true/false tag in the mapping configuration file to filter out specific fields. Alternatively, if the `exportAllFields` tag in the `targetConfiguration.xml` file is set to `false`, only those fields which are listed in the mapping file are exported.	`true` `false`
`<origName></origName>`	The name of the field that is mapped to <dstName>
`<dstName></dstName>`	The new mapping scheme name for the applicable field.
`<required></required>`	Optional When set to `true`, only logs that contain this field are exported.	`true` `false`