KB Article | Forcepoint Support

Problem Description

NGFW Security Management Center can forward logs to external hosts in different formats. A select set of default log fields are forwarded, but these can be modified when logs are forwarded in CSV, XML or ESM format. Starting from SMC version 6.5.2 it is possible to modify custom fields in CEF and LEEF formats.
 
Note Other log export formats (Netflow v9 and IPFIX) only offer a fixed log field selection that cannot be edited.
 

Resolution

To find out more information and how to resolve this issue, see the steps below.

Customizing log fields for CSV or XML log forwarding

The parameter SYSLOG_CONF_FILE in the <installation directory>/data/LogServerConfiguration.txt file defines the template used when logs are forwarded. The template tells the Log Server what fields to include in the forwarded logs.

If the template does not exist, cannot be accessed due to incorrect file permissions, or the SYSLOG_CONF_FILE parameter is not defined, then Log Server uses the exportable field list defined in the relevant datatype XML file in <installation directory>/data/fields/datatypes to select what fields are forwarded.

There are default templates in the /data/fields/syslog_templates folder which can be used as a starting point.

Important All the default templates in the syslog_templates folder are overwritten during an SMC upgrade. It is recommended you duplicate one of the default templates and point the SYSLOG_CONF_FILE to the custom template so your changes are not lost during upgrade.

The SYSLOG_CONF_FILE parameter should be added to LogServerConfiguration.txt to point to the required template file:
  • Example for a Linux installation:
    SYSLOG_CONF_FILE=/usr/local/stonesoft/data/fields/syslog_templates/my_template.xml
  • Example for a Microsoft Windows installation, the backslashes in the path need to be escaped:
    SYSLOG_CONF_FILE=C\:\\ProgramData\\Stonesoft\\Security Management Center\\data\\fields\\syslog_templates\\my_template.xml

    Note The path in your environment may differ from the examples. Verify the correct path for your environment before applying the changes. Make sure there are no spaces or other extra characters at the end of the line; they will prevent the Log Server from accessing the file during server startup.
To modify the field selection for logs forwarded as CSV and XML, configure the exportable fields in the selected syslog template:
  1. Open a command line session on the log server.
  2. Navigate to <installation directory>/data/fields/syslog_templates.
  3. Open the file in a text editor of your choice.
  4. Locate the tag named <exportable_field_list> a few rows from the top.
  5. Under the child element <fieldreflist>, add the required log fields within <fieldref></fieldref> tags. Alternatively, to remove a log field from export, delete its entry.
     
    Important For backward compatibility reasons, you should only add new exportable fields at the end of this list.
    Note The correct name and explanation for usable log field names within tags are documented in the Appendix, Log Fields, of the Security Management Center Product Guide for your release. The available log field names are also found in the datatype files in <installation directory>/data/fields/datatypes.

    For example, if you want the Log Server to forward the Network Application log field, add the line "IPS_APPID" inside the <fieldreflist>.
  6. After you make your changes, save the file and restart the Log Server.

Customizing log fields for ESM log forwarding

To modify the field selection for logs forwarded as ESM, configure the exportable fields in the esm_syslog_conf.xml syslog template:
  1. Open a command line session on the log server.
  2. Navigate to <installation directory>/data/fields/syslog_templates
  3. Open the esm_syslog_conf.xml in a text editor of your choice.
  4. Locate the tag named <exportable_field_list> a few rows from the top.
  5. Under the child element <fieldreflist>, add the required log fields within <fieldref></fieldref> tags. Alternatively, to remove a log field from export, delete its entry.
    Important For backward compatibility reasons, you should only add new exportable fields at the end of this list.
    Important All the default templates in the syslog_templates folder are overwritten during an SMC upgrade. Make a copy of the modified esm_syslog_conf.xml file to be able to revert to it after SMC upgrade.
  6. After you make your changes, save the file and restart the Log Server.

Modifying custom log fields for CEF and LEEF log forwarding

Both CEF and LEEF formats include few customizable fields. With SMC 6.5.2 version and higher it is possible to change log field included on customizable fields.
  1. Open a command line session on the log server.
  2. Navigate to <installation directory>/data/fields/additional_fields
  3. Make copy of either template file and open the file in text editor of your choice.
Important All the default templates are overwritten during an SMC upgrade and therefore it is suggested to edit a custom file.
  1. Replace any of custom fields by desired log field.
    • As an example replace NAT Rule Tag log field by Network Application. Replace first line by second:
<fieldref field_name="NatRuleId">NAT_RULE_ID</fieldref>
<fieldref field_name="Application">IPS_APPID</fieldref>
  • Save the changes.
  1. Open <installation directory>/data/LogServerConfiguration.txt for editing.
  2. Add a line to refer to the customized template file of CEF or LEEF additional fields. 
CEF_ADDITIONAL_FIELDS_CONF_FILE=<cef_conf_file>
LEEF_ADDITIONAL_FIELDS_CONF_FILE=<leef_conf_file>
  1. After you make your changes, save the file and restart the Log Server.

Related Information

For a full list of product documents, see Documentation.



Keywords: log forwarding; syslog; log fields; csv; xm; cef; leef
 

Article Feedback



Thank you for the feedback and comments.