cp_log_export

Description

Exports Check Point logs over syslog.

For more information, see sk122323 and R81 Logging and Monitoring Administration Guide.

Notes:

Syntax

cp_log_export

cp_log_export <command-name> help

Parameters

Parameter

Description

No Parameters

Shows the built-in general help.

<command-name> help

Shows the built help for the specified internal command.

Internal Commands

Name

Description

add

Configures a new Check Point Log Exporter.

cp_log_export add name <Name> target-server <Target-Server> target-port <Target-Server-Port> protocol {udp | tcp} [Optional Arguments]

delete

Removes an existing Log Exporter.

cp_log_export delete name <Name>

reconf

Applies the Log Exporter configuration to all existing exporters.

cp_log_export reconf [name <Name>]

reexport

Resets the current log position and exports all logs again based on the configuration.

cp_log_export reexport name <Name> --apply-now

cp_log_export reexport name <Name> start-position <Position of Last Exported Log> --apply-now

cp_log_export reexport name <Name> start-position <Position of Gap Start> end-position <Position of Gap End> --apply-now

restart

Restarts a Log Exporter process.

cp_log_export restart name <Name>

set

Updates an existing Log Exporter configuration.

cp_log_export set name <Name> [<Optional Arguments>]

show

Shows the current Log Exporter configuration.

cp_log_export show [<Optional Arguments>]

start

Starts an existing Log Exporter process.

cp_log_export start name <Name>

status

Shows a Log Exporter overview status.

cp_log_export status [<Optional Arguments>]

stop

Stops an existing Log Exporter process.

cp_log_export stop name <Name>

Internal Command Arguments

Name

Description

Required

for "add"

command

Required

for "set"

command

Required

for "delete"

command

Required for

"reconf"

command

Required for

"restart",

"show", "status",

"start", "stop"

command

Required

for "reexport"

command

--apply-now

Applies immediately any change that was done with the "add", "set", "delete", or "reexport" command.

Optional

Optional

Mandatory

N / A

N / A

Mandatory

ca-cert <Path>

Specifies the full path to the CA certificate file *.pem.

Important - Applicable only when the value of the "encrypted" argument is "true".

Optional

Optional

N / A

N / A

N / A

N / A

client-cert <Path>

Specifies the full path to the client certificate *.p12.

Important - Applicable only when the value of the "encrypted" argument is "true".

Optional

Optional

N / A

N / A

N / A

N / A

client-secret <Phrase>

Specifies the challenge phrase used to create the client certificate *.p12.

Important - Applicable only when the value of the "encrypted" argument is "true".

Optional

Optional

N / A

N / A

N / A

N / A

domain-server {mds | all}

On a Multi-Domain Server, specifies the applicable Domain Management Server context.

On a Multi-Domain Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS., specifies the applicable Domain Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs. context.

Important:

  • "mds" (in small letters) - Exports audit logs from only the main MDS level.

  • "all" (in small letters) - Exports audit logs from all Domains.

Mandatory

Mandatory

Mandatory

N / A

Optional

Mandatory

enabled {true | false}

Default: true

Optional

Optional

N / A

N / A

N / A

N / A

encrypted {true | false}

Specifies whether to use TSL (SSL) encryption to send the logs.

Default: false

Optional

Optional

N / A

N / A

N / A

N / A

export-attachment-ids {true | false}

Specifies whether to add a field to the exported logs that represents the ID of log's attachment (if exists).

Default: false

Optional

Optional

N / A

N / A

N / A

N / A

export-attachment-link {true | false}

Specifies whether to add a field to the exported logs that represents a link to SmartView that shows the log card and automatically opens the attachment.

Default: false

Optional

Optional

N / A

N / A

N / A

N / A

export-link {true | false}

Specifies whether to add a field to the exported logs that represents a link to SmartView that shows the log card.

Default: false

Optional

Optional

N / A

N / A

N / A

N / A

export-link-ip {true | false}

Specifies whether to make the links to SmartView use a custom IP address (for example, for a Log Server behind NAT).

Important - Applicable only when the value of the "export-link" argument is "true", or the value of the "export-attachment-link" argument is "true".

Default: false

Optional

Optional

N / A

N / A

N / A

N / A

filter-action-in {"Action1","Action2",... | false}

Specifies whether to export all logs that contain a specific value in the "Action" field.

Each value must be surrounded by double quotes ("").

Multiple values are supported and must be separated by a comma without spaces.

To see all valid values:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to the Logs & Monitor view and open the Logs tab.

  2. In the top query field, enter action: and a letter.

Examples of values:

  • Accept

  • Block

  • Bypass

  • Detect

  • Drop

  • HTTPS Bypass

  • HTTPS Inspect

  • Prevent

  • Reject

Important - This parameter replaces any other filter configuration that was declared earlier on this field directly in the filtering XML file. Other field filters are not overwritten.

Optional

Optional

N / A

N / A

N / A

N / A

filter-blade-in {"Blade1","Blade2",... | false}

Specifies whether to export all logs that contain a specific value in the "Blade" field (the object name of the Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. that generated these logs).

Each value must be surrounded by double quotes ("").

Multiple values are supported and must be separated by a comma without spaces.

To see all valid values:

  1. In SmartConsole, go to the Logs & Monitor view and open the Logs tab.

  2. In the top query field, enter blade: and a letter.

Examples of values:

  • Anti-Bot

  • Firewall

  • HTTPS Inspection

  • Identity Awareness

  • IPS

Valid Software Blade families:

  • Access

  • TP

  • Endpoint

  • Mobile

Important - This parameter replaces any other filter configuration that was declared earlier on this field directly in the filtering XML file. Other field filters are not overwritten.

Optional

Optional

N / A

N / A

N / A

N / A

filter-origin-in {"Origin1","Origin2",... | false}

Specifies whether to export all logs that contain a specific value in the "Origin" field (the object name of the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster MemberClosed Security Gateway that is part of a cluster. that generated these logs).

Each origin value must be surrounded by double quotes ("").

Multiple values are supported and must be separated by a comma without spaces.

Important - This parameter replaces any other filter configuration that was declared earlier on this field directly in the filtering XML file. Other field filters are not overwritten.

Optional

Optional

N / A

N / A

N / A

N / A

format {generic | cef | json | leef | logrhythm | rsa | splunk | syslog}

Specifies the format, in which the logs are exported.

Default: syslog

Optional

Optional

N / A

N / A

N / A

N / A

name "<Name>"

Specifies the unique name of the Log Exporter configuration.

Notes:

  • Allowed characters are: Latin letters, digits ("0-9"), minus ("-"), underscore ("_"), and period (".").

  • Must start with a letter.

  • The minimum length is two characters.

  • The "add" command creates a new target directory with the specified unique name in the $EXPORTERDIR/targets/ directory.

Mandatory

Mandatory

Mandatory

Optional.

By default, applies to all.

Optional.

By default, applies to all.

Mandatory

protocol {tcp | udp}

Specifies the Layer 4 Transport protocol to use (TCP or UDP).

There is no default value.

Mandatory

Optional

N / A

N / A

N / A

N / A

read-mode {raw | semi-unified}

Specifies the mode, in which to read the log files.

  • raw - Specifies to export log records without any unification.

  • semi-unified - Specifies to export log records with step-by-step unification. That is, for each log record, export a record that unifies this record with all previously-encountered records with the same ID.

Default: semi-unified

Optional

Optional

N / A

N / A

N / A

N / A

target-port <Target-Server-Port>

Specifies the listening port on the target server, to which you export the logs.

Mandatory

Optional

N / A

N / A

N / A

N / A

target-server <Target-Server>

Specifies the IP address or FQDN of the target server, to which you export the logs.

Mandatory

Optional

N / A

N / A

N / A

N / A

time-in-milli {true | false}

Specifies whether to export logs with the time resolution in milliseconds.

Requires Security Gateways R81 and higher.

Default: false

Optional

Optional

N / A

N / A

N / A

N / A