Modify the log_exporter Configuration

This procedure describes how to modify the configuration of the existing log-exporter instance and covers both UDP and TCP.

The TCP option requires encryption. If you are going to use encryped TCP, start with Configuring Check Point Syslogs Over Encrypted TCP.

The procedure must be performed on your CMA/SMC device and if you have a separate CLM log server it must be performed on that as well to include traffic logs. Make sure you define the same log ID on both.

  1. Create the log_exporter with the cp_log_export add command, as described in the Check Point Support Center: SecureKnowledge Details > Log Exporter - Check Point Log Export (Solution ID sk122323). Enter a protocol of either udp or tcp.

    cp_log_export add name <Name> [domain-server {mds | all}] target-server <HostName or IP address of Target Server> target-port <Port on Target Server> protocol udp/tcp format {syslog}

  2. If you are going to use encrypted TCP, specify your certificate details, obtained previously in Configuring Check Point Syslogs Over Encrypted TCP.

    cp_log_export set name <exporter-name> domain-server <domain-server> ca-cert <path_to_CA_pem> client-cert <path_to_p12_certificate> client-secret <challenge_phrase_for _p12>

  3. Edit the log exporter configuration file:

    For devices before R81.20, use this command:

    edit $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/conf/SyslogFormatDefinition.xml
    edit $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/conf/SyslogFormatDefinition.xml
  4. Edit the file:

    From:

    <!-- HOSTNAME-->	
      <header>
        <default_value>-</default_value>
        <assign_order>init</assign_order>
          <callback>
            <name>get_host_name_callback</name>
          </callback>
      </header>

    To:

    <!-- HOSTNAME-->
      <header>
        <default_value><Desired-Log-ID-Name></default_value>
      </header>

    where <Desired-Log-ID-Name> is a string of your choice. We recommend using sequential strings of numbers to name your log exports.

    Example: 10000, 10001, 10002

    The log name defined here will be used when adding Check Point devices to SecureTrack.

  5. Restart the log_exporter instance:

    cp_log_export restart name <exporter-name>