Log Exporter Basic Configuration in CLI

Common method for creating and modifying Log Exporter targets.

To configure a new target for the exported logs:

  1. Connect to the command line on the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. / Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs..

  2. Log in to the Expert mode.

  3. Configure the Log Exporter settings:

    cp_log_export add name <Name of Log Exporter Configuration> [domain-server {mds | all}] target-server <HostName or IP address of Target Server> target-port <Port on Target Server> protocol {tcp | udp} format {cef | generic | json | leef | logrhythm | rsa | splunk | syslog} [--apply-now] [<Other Optional Arguments>]

    Parameters:

    Parameter

    Description

    name <Name of Log Exporter Configuration>

    Configures the name of the Log Exporter configuration.

    Notes:

    • Allowed characters are: Latin letters, digits ("0-9"), minus ("-"), underscore ("_"), and period (".").

    • Must start with a letter.

    • The minimum length is two characters.

    • This command creates a new target directory with the specified unique name in the $EXPORTERDIR/targets/ directory.

    domain-server {mds | all}

    On a Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., specifies the applicable Domain Management Server context.

    On a Multi-Domain Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS., specifies the applicable Domain Log Server context.

    This parameter is mandatory.

    • "mds" (in small letters) - Exports audit logs from only the main MDS level.

    • "all" (in small letters) - Exports audit logs from all Domains.

    target-server <HostName or IP address of Target Server>

    Configures the target server, to which Log Exporter sends the exported logs.

    You can enter an IP address or an FQDN.

    target-port <Port on Target Server>

    Configures the listening port on the target server, to which Log Exporter sends the exported logs.

    protocol {tcp | udp}

    Configures the Layer 4 protocol for Syslog traffic - TCP or UDP.

    format {...}

    Configures the format of exported logs:

    • cef - CEF

    • generic - Generic

    • json - JSON

    • leef - LEEF

    • logrhythm - LogRhythm

    • rsa - RSA

    • splunk - Splunk

    • syslog - Syslog (default)

    --apply-now

    Optional.

    Automatically starts the new Log Exporter instance with the new settings.

    If you do not use this parameter, you must start the new Log Exporter instance manually with this command:

    cp_log_export restart

    <Other Optional Arguments>

    Optional.

    See Log Exporter Advanced Configuration in CLI.

Important - By default, Log Exporter sends the exported logs in clear text. To send the exported logs over an encrypted connection, see Log Exporter TLS Configuration.