KB Article | Forcepoint Support

Problem Description

SMC does not allow you to select individual log columns to export from the SMC Logs view, but you can modify column selection when you export them to CSV or XML format.

To define which columns are exported, you must modify the XML datatype file on the Log server.

Other log export formats (LEEF, CEF) only offer a fixed column selection. With SMC version 6.5.2 and higher it is possible to modify customizable fields in these formats.


Modify column selection for CSV and XML log export

To modify the column selection for CSV or XML log exports, configure the exportable fields.
  1. Open a command line session on the log server.
  2. Navigate to <Log Server Installation directory>/data/fields/datatypes/.
  3. Locate the file that corresponds to the Data Type of the log you want to export and open the file for editing.
For example:
  • NGFW FW/VPN log datatype is defined in stonegate_log_datatype.xml.
  • NGFW IPS role log datatype is defined in ips_log_datatype.xml.
  • Third Party log datatype is defined in thirdparty_datatype.xml.
Note You can view the Data Type of a log record directly in the Logs view after a Data Type column is made visible.

Not all XML files in /data/fields/datatypes have exportable fields defined. Those files are not related to exporting and should not be edited.
  1. Open the file in a text editor.
  2. Scroll down the file until you find a tag called <exportable_field_list>.
Important For backwards compatibility reasons, you should only add new exportable fields at the end of the list inside the <fieldreflist></fieldreflist> tags.
  1. Under the child element <fieldreflist>, type the required Log fields within <fieldref></fieldref> tags. Alternatively, to remove a log field from export, delete its <fieldref></fieldref> entry.
Note The correct name and explanation for usable log field names within <fieldref> tags is documented in the Product Guide for your release, in the "Log Entry Fields" section.
  1. After you make your changes, restart the Log Server and reopen the Logs view in SMC.
Log exports to CSV or XML formats will now include the fields that you added to the datatype definitions.

Note During SMC upgrades, the datatype files will be overwritten and you will lose all earlier manual changes. It is recommended that you create a copy of all the manually modified files. If more than one Log server is present, make the required changes on all Log Servers.

The following is an example of a modified stonegate_log_datatype.xml file. This example lists all exportable fields for the current data type.
<version> 1 </version>
<name> Stonegate Log exportable fields </name>
<fieldref> TIMESTAMP </fieldref>
<fieldref> LOG_ID </fieldref>
<fieldref> NODE_ID </fieldref>
<fieldref> FACILITY </fieldref>
<fieldref> TYPE </fieldref>
<fieldref> EVENT </fieldref>
<fieldref> ACTION </fieldref>
<fieldref> SRC </fieldref>
<fieldref> DST </fieldref>
<fieldref> SERVICE </fieldref>
<fieldref> PROTOCOL </fieldref>
<fieldref> Sport </fieldref>
<fieldref> Dport </fieldref>
<fieldref> RULE_ID </fieldref>
<fieldref> NAT_SRC </fieldref>
<fieldref> NAT_DST </fieldref>
<fieldref> NAT_SPORT </fieldref>
<fieldref> NAT_DPORT </fieldref>
<fieldref> FLAG </fieldref>
<fieldref> Srcif </fieldref>
<fieldref> SRVHELPER_ID </fieldref>
<fieldref> ALERT </fieldref>
<fieldref> SYSLOG_TYPE </fieldref>
<fieldref> ICMP_TYPE </fieldref>
<fieldref> ICMP_CODE </fieldref>
<fieldref> ICMP_ID </fieldref>
<fieldref> IPSEC_SSPI </fieldref>
<fieldref> RTT </fieldref>
<fieldref> ACC_ELAPSED </fieldref>
<fieldref> ACC_TX_BYTES </fieldref>
<fieldref> ACC_RX_BYTES </fieldref>
<fieldref> AUTH_NAME </fieldref>
<fieldref> SRC_VLAN </fieldref>
<fieldref> COMP_ID </fieldref>
<fieldref> INFO_MSG </fieldref>
<fieldref> NAT_RULE_ID </fieldref>
<fieldref> AUTH_RULE_ID </fieldref>
<fieldref> ACK </fieldref>
<fieldref> RECEPTION_TIME </fieldref>
<fieldref> SENDER_TYPE </fieldref>
<fieldref> SITUATION </fieldref>
<fieldref> FP_SITUATION </fieldref>
<fieldref> ALERT_SEVERITY </fieldref>
<fieldref> EVENT_ID </fieldref>
<fieldref> QOS_CLASS </fieldref>
<fieldref> DSCP_MARK </fieldref>
<fieldref> QOS_PRIORITY </fieldref>
<fieldref> IKE_COOKIE </fieldref>
<fieldref> IPSEC_SSPI </fieldref>
<fieldref> IPS_APPID </fieldref>

Modify CEF or LEEF customizable fields in log export

Both CEF and LEEF formats include few customizable fields. With SMC 6.5.2 version and higher it is possible to change log field included on customizable fields.
  1. Open a command line session on the log server.
  2. Navigate to <installation directory>/data/fields/additional_fields
  3. Make copy of either template file and open the file in text editor of your choice.
Important All the default templates are overwritten during an SMC upgrade and therefore it is suggested to edit a custom file.
  1. Replace any of custom fields by desired log field.
    • You can use exportable firewall, IPS etc. fields in the additional log fields. List of exportable fields can be found from NGFW Product Guide and Online Log Fields appendices section (e.g. NGFW 6.8 Online Help).
    • As an example replace NAT Rule Tag log field by Network Application. Replace first line by second:
<fieldref field_name="NatRuleId">NAT_RULE_ID</fieldref>
<fieldref field_name="Application">IPS_APPID</fieldref>
  • Save the changes.
  1. Open <installation directory>/data/LogServerConfiguration.txt for editing.
  2. Add a line to refer to the customized template file of CEF or LEEF additional fields. 
  1. After you make your changes, save the file and restart the Log Server.

Keywords: log forwarding; syslog; log fields; csv; xm; cef; leef

Article Feedback

Thank you for the feedback and comments.