Modify the log_exporter Configuration

This procedure describes how to modify the configuration of the existing log-exporter instance and covers both UDP and TCP.

The TCP option requires encryption. If you are going to use encryped TCP, start with Configuring Check Point Syslogs Over Encrypted TCP.

The procedure must be performed on your CMA/SMC device and if you have a separate CLM log server it must be performed on that as well to include traffic logs. Make sure you define the same log ID on both.

  1. Create the log_exporter with the cp_log_export add command, as described in the Check Point Support Center: SecureKnowledge Details > Log Exporter - Check Point Log Export (Solution ID sk122323). Enter a protocol of either udp or tcp.

    cp_log_export add name <Name> [domain-server {mds | all}] target-server <HostName or IP address of Target Server> target-port <Port on Target Server> protocol udp/tcp format {syslog}

  2. If you are going to use encrypted TCP, specify your certificate details, obtained previously in Configuring Check Point Syslogs Over Encrypted TCP. 

    cp_log_export set name <exporter-name> domain-server <domain-server> ca-cert <path_to_CA_pem> client-cert <path_to_p12_certificate> client-secret <challenge_phrase_for _p12>

  3. Edit the log exporter configuration file:

    For devices before R81.20, use this command:

    edit $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/conf/SyslogFormatDefinition.xml
    edit $EXPORTERDIR/targets/<Name of Log Exporter Configuration>/conf/SyslogFormatDefinition.xml

    1. Verify the creation of the log exporter.

      cp_log_export show
      cp_log_export show

      The log exporters are listed.

    2. Access the appropriate domain environment.

      mdsstat
      mdsstat
      mdsenv CMA_R81.20_9.154_Server
      mdsenv CMA_R81.20_9.154_Server

    3. Copy the syslogFormatDefinition.xml global file and name the new file after the log exporter target name.

      cp /opt/CPrt-R81.20/log_exporter/conf/SyslogFormatDefinition.xml /opt/CPmds-R81.20/customers/CMA_R81.20_9.154_Server/CPrt-R81.20/log_exporter/targets/st_32.168_udp/conf
      cp /opt/CPrt-R81.20/log_exporter/conf/SyslogFormatDefinition.xml /opt/CPmds-R81.20/customers/CMA_R81.20_9.154_Server/CPrt-R81.20/log_exporter/targets/st_32.168_udp/conf

    4. Navigate to the new target log exporter file.

      cd /opt/CPrt-R81.20/log_exporter/conf/SyslogFormatDefinition.xml /opt/CPmds-R81.20/customers/CMA_R81.20_9.154_Server/CPrt-R81.20/log_exporter/targets/st_32.168_udp/conf
      cd /opt/CPmds-R81.20/customers/CMA_R81.20_9.154_Server/CPrt-R81.20/log_exporter/targets/st_32.168_udp/

    5. Modify the targetConfiguration.xml file.

      vi targetConfiguration.xml
      vi targetConfiguration.xml

    6. In the targetConfiguration.xml file, update the "formatHeaderFile" field under "Format header configuration" to use the path "./conf/SyslogFormatDefinition.xml"

  4. Edit the file:

    From: 

    <!-- HOSTNAME-->	
  <header>
    <default_value>-</default_value>
    <assign_order>init</assign_order>
      <callback>
        <name>get_host_name_callback</name>
      </callback>
  </header>

    To: 

    <!-- HOSTNAME-->
  <header>
    <default_value><Desired-Log-ID-Name></default_value>
  </header>

    where <Desired-Log-ID-Name> is a string of your choice. We recommend using sequential strings of numbers to name your log exports.

    Example: 10000, 10001, 10002

    The log name defined here will be used when adding Check Point devices to SecureTrack.

  5. Restart the log_exporter instance:

    cp_log_export restart name <exporter-name>