New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Checkpoint parser improvements #2740
Conversation
Signed-off-by: Balazs Scheidler <balazs.scheidler@oneidentity.com>
Signed-off-by: Balazs Scheidler <balazs.scheidler@oneidentity.com>
Build SUCCESS |
I have checked Light testcases, at first glance I have found a new testcase which was the same as an old one, but after checked it again they are not the same, they are different in timestamps. |
I'm running version R80.20m2 and sending it syslog format from CP, and it does not seem to parse it correctly. maybe related to the actual output: |
Can you show your config?
…On Mon, Jul 29, 2019, 20:12 Jewnix ***@***.***> wrote:
I'm running version R80.20m2 and sending it syslog format from CP, and it
does not seem to parse it correctly. maybe related to the date-parser
actual output:
Jul 29 13:04:13 checkpoint <134>1 2019-07-29T17:04:13Z checkpoint
CheckPoint 9951 - [action:"Accept"; conn_direction:"Outgoing";
contextnum:"1"; flags:"7258112";
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2740>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAFOK5V5GSKP2ZPVJNSDJWDQB4XINANCNFSM4HN3YCHQ>
.
|
|
I wanted to check how you apply the checkpoint parser and it seems fine.
If you start syslog-ng in debug and trace enabled (like with -Fedvt command
line options from a shell), you can see how checkpoint parser attempts
parsing the message and where it fails. If you have problems deciphering
the output just post it here.
…On Mon, Aug 5, 2019, 16:59 Jewnix ***@***.***> wrote:
filter f_cpdash {
netmask("10.0.0.1/32") or host('cpdash-swg');
};
destination d_cpdash {
file (
"/var/log/splunk/cp_firewall/$LOGHOST/$HOST/$R_YEAR$R_MONTH$R_DAY-$R_HOUR.log");
};
log {
source {
network(
transport("tcp")
flags(no-parse)
port(2154)
);
};
parser { checkpoint-parser(); };
filter(f_cpdash);
destination(d_cpdash);
flags(final);
};
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2740>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAFOK5V7WMJ7VCDNZCTV43DQDA53ZANCNFSM4HN3YCHQ>
.
|
With new, current samples received from a syslog-ng user, I could improve the parser to better support the output of CheckPoint LogExporter. Also added links to official documentation and community topic on the matter.