Modify the log_exporter Configuration

This procedure describes how to modify the configuration of the existing log-exporter instance and covers both UDP and TCP.

From R22-2 PHF1.0.0, the TCP option requires encryption. If you are going to use encryped TCP, start with Configuring Check Point Syslogs Over Encrypted TCP.

The procedure must be performed on your CMA/SMC device and if you have a separate CLM log server it must be performed on that as well to include traffic logs. Make sure you define the same log ID on both.

1. Create the log_exporter with the cp_log_export add command, as described in the Check Point Support Center: SecureKnowledge Details > Log Exporter - Check Point Log Export (Solution ID sk122323). Enter a protocol of either udp or tcp.

   cp_log_export add name <Name> [domain-server {mds | all}] target-server <HostName or IP address of Target Server> target-port <Port on Target Server> protocol udp/tcp format {syslog}

2. If you are going to use encrypted TCP, specify your certificate details, obtained previously in Configuring Check Point Syslogs Over Encrypted TCP.

   cp_log_export set name <exporter-name> domain-server <domain-server> ca-cert <path_to_CA_pem> client-cert <path_to_p12_certificate> client-secret <challenge_phrase_for _p12>

3. Edit the log exporter configuration file:

   edit $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/conf/SyslogFormatDefinition.xml

4. Perform the following change:

   From:

   <!-- HOSTNAME-->	
     <header>
       <default_value>-</default_value>
       <assign_order>init</assign_order>
         <callback>
           <name>get_host_name_callback</name>
         </callback>
     </header>

   To:

   <!-- HOSTNAME-->
     <header>
       <default_value><Desired-Log-ID-Name></default_value>
     </header>

   Where <Desired-Log-ID-Name> is a string of your choice and must be used when configuring the device in TOS Aurora.

   

5. Restart the log_exporter instance:

   cp_log_export restart name <exporter-name>