CEF defines a syntax for log records comprised of a standard header and a variable extension, formatted as key-value pairs. Please use this discussion as a guide to understand how Check Point syslog Log Exporter maps Check Point logs to the CEF format. This discussion is based upon R80.20 GA and may change in future versions.
CEF fields have their own names such as rt, suser, fname, etc. Check Point fields such as src and dst that already match a CEF field name do not need to be mapped from a Check Point to a CEF name so are not covered in this discussion.
Note: in this discussion we refer to the raw Check Point field value. Check Point may translate the raw field name to show a different display name in the user interface like Tracker in R77.30 or SmartConsole in R80.x.
CEF Header Mapping
The mandatory CEF header is an integral part of the CEF message. The values in the header are displayed in the ArcSight GUI, and we took this into account during our mapping. As noted above we don’t map Check Point fields that already appear in the header. In those cases where a few values exist, we add them to the header in this order as explained in $EXPORTERDIR/conf/CefFormatDefinition.xml: first (use first added value - default) | last(use last added value) | join (join between values) | init (set value once to header formatted string on init and do not generate per every log).
CEF Format Header Definition (note: a space is added between the “|” delimiter to make it easier to see the values)
CEF:Version | Device Vendor | Device Product | Device Version | Signature ID | Name | Severity | Extension
- CEF Version
- Device Vendor
- Device Product
- This is initialized to Check Point, but may also be Log Update or the value from the fields; product or productname.
- Device Version
- Signature ID
- The default is Log, but may also be the value from the fields attack, protection_type, verdict, dlp_data_type_name, app_category, app_properties.
- Name
- The default is Log, but may also be the value from the fields protection_name, appi_name, message_info, service_id.
- Severity
- The default is Unknown, but may also be the value from the fields app_risk, risk, severity.
- Extensions
- See the field mapping below.
Check Point CEF Header Example (note: a space is added between the “|” delimiter to make it easier to see the values)
CEF:0 | Check Point | VPN-1 & FireWall-1 | Check Point | Log | https | Unknown | <extensions omitted and shown below>
Extensions
As noted above extensions are formatted as key-value pairs. In extensions there are flex fields which can be either numbers or strings and finally there are custom numbers and custom strings (cnX, csX). All CEF fields have a display name. In Log Exporter, we only use the actual field name and ignore the display name. Fields may also be accompanied by labels. In the targetConfiguration.xml file we see that exportAllFields is set to true so all fields are exported to CEF.
Extensions Example Cut from the Above Composed of <field=value> Pairs (note the escape character “\” before the “=” character)
act=Accept destinationTranslatedAddress=0.0.0.0 destinationTranslatedPort=0 deviceDirection=0 rt=1543270652000 sourceTranslatedAddress=192.168.103.254 sourceTranslatedPort=35398 spt=49363 dpt=443 cs2Label=Rule Name layer_name=Network layer_uuid=b406b732-2437-4848-9741-6eae1f5bf112 match_id=4 parent_rule=0 rule_action=Accept rule_uid=9e5e6e74-aa9a-4693-b9fe-53712dd27bea ifname=eth0 logid=0 loguid={0x5bfc70fc,0x1,0xfe65a8c0,0xc0000001} origin=192.168.101.254 originsicname=CN\=R80,O\=R80_M..6u6bdo sequencenum=1 version=5 dst=52.173.84.157 inzone=Internal nat_addtnl_rulenum=1 nat_rulenum=4 outzone=External product=VPN-1 & FireWall-1 proto=6 service_id=https src=192.168.101.100
The below is the Log Exporter CEF Field Mapping from R80.20 GA take 101 from $EXPORTERDIR/conf/CefFieldsMapping.xml where origName is the Check Point raw field name and dstName is the CEF field name sorted by the CEF dstName field name.
This excludes the table mappings from the file.
| origName | dstName | dstLabel | dstLabelVal | name | key | value |
| action | act | | | | | |
| protocol | app | | | | | |
| ipv6_src | c6a2 | c6a2Label | Source IPv6 Address | | | |
| ipv6_dst | c6a3 | c6a3Label | Destination IPv6 Address | | | |
| update_version | cfp1 | cfp1Label | Update Version | | | |
| elapsed | cn1 | cn1Label | Elapsed Time in Seconds | | | |
| email_recipients_num | cn1 | cn1Label | Email Recipients Number | | | |
| payload | cn1 | cn1Label | Payload | | | |
| duration_sec | cn2 | cn2Label | Duration in Seconds | | | |
| icmp_type | cn2 | cn2Label | ICMP Type | | | |
| icmp_code | cn3 | cn3Label | ICMP Code | | | |
| event_count | cnt | | | | | |
| suppressed_logs | cnt | | | | | |
| app_risk | cp_app_risk | | | replace_value | default | Unknown |
| app_risk | cp_app_risk | | | replace_value | 0 | Unknown |
| app_risk | cp_app_risk | | | replace_value | 1 | Low |
| app_risk | cp_app_risk | | | replace_value | 2 | Low |
| app_risk | cp_app_risk | | | replace_value | 3 | Medium |
| app_risk | cp_app_risk | | | replace_value | 4 | High |
| app_risk | cp_app_risk | | | replace_value | 5 | Very-High |
| severity | cp_severity | | | replace_value | default | Unknown |
| severity | cp_severity | | | replace_value | 0 | Low |
| severity | cp_severity | | | replace_value | 1 | Low |
| severity | cp_severity | | | replace_value | 2 | Medium |
| severity | cp_severity | | | replace_value | 3 | High |
| severity | cp_severity | | | replace_value | 4 | Very-High |
| app_rule_name | cs1 | cs1Label | Application Rule Name | | | |
| connectivity_state | cs1 | cs1Label | Connectivity State | | | |
| dlp_rule_name | cs1 | cs1Label | DLP Rule Name | | | |
| email_id | cs1 | cs1Label | Email ID | | | |
| malware_rule_name | cs1 | cs1Label | Threat Prevention Rule Name | | | |
| voip_log_type | cs1 | cs1Label | VoIP Log Type | | | |
| categories | cs2 | cs2Label | Categories | | | |
| category | cs2 | cs2Label | Category | | | |
| email_subject | cs2 | cs2Label | Email Subject | | | |
| integrity_av_invoke_type | cs2 | cs2Label | Scan Invoke Type | | | |
| peer_gateway | cs2 | cs2Label | Peer Gateway | | | |
| protection_id | cs2 | cs2Label | Protection ID | | | |
| sensor_mode | cs2 | cs2Label | Sensor Mode | | | |
| update_status | cs2 | cs2Label | Update Status | | | |
| email_spool_id | cs3 | cs3Label | Email Spool ID | | | |
| identity_type | cs3 | cs3Label | Identity Type | | | |
| incident_extension | cs3 | cs3Label | Incident Extension | | | |
| protection_type | cs3 | cs3Label | Protection Type | | | |
| user_group | cs3 | cs3Label | User Group | | | |
| destination_os | cs4 | cs4Label | Destination OS | | | |
| email_control | cs4 | cs4Label | Email Control | | | |
| frequency | cs4 | cs4Label | Frequency | | | |
| malware_rule_id | cs4 | cs4Label | Threat Prevention Rule ID | | | |
| protection_name | cs4 | cs4Label | Protection Name | | | |
| scan_result | cs4 | cs4Label | Scan Result | | | |
| spyware_status | cs4 | cs4Label | Malware Status | | | |
| tcp_flags | cs4 | cs4Label | TCP Flags | | | |
| user_status | cs4 | cs4Label | User Response | | | |
| auth_method | cs5 | cs5Label | Authentication Method | | | |
| email_session_id | cs5 | cs5Label | Email Session ID | | | |
| matched_category | cs5 | cs5Label | Matched Category | | | |
| vlan_id | cs5 | cs5Label | VLAN ID | | | |
| appi_name | cs6 | cs6Label | Application Name | | | |
| malware_family | cs6 | cs6Label | Malware Family | | | |
| spyware_name | cs6 | cs6Label | Malware Name | | | |
| virus_name | cs6 | cs6Label | Virus Name | | | |
| destination_dns_hostname | destinationDnsDomain | | | | | |
| service_name | destinationServiceName | | | | | |
| xlatedst | destinationTranslatedAddress | | | | | |
| xlatedport | destinationTranslatedPort | | | | | |
| subs_exp | deviceCustomDate2 | deviceCustomDate2Label | Subscription Expiration | | | |
| ifdir | deviceDirection | | | replace_value | default | 0 |
| ifdir | deviceDirection | | | replace_value | outbound | 1 |
| ifdir | deviceDirection | | | replace_value | inbound | 0 |
| type | deviceExternalId | | | | | |
| product_family | deviceFacility | | | | | |
| client_inbound_interface | deviceInboundInterface | | | | | |
| client_outbound_interface | deviceOutboundInterface | | | | | |
| destination_dhcp_hostname | dhost | | | | | |
| dst_machine_name | dhost | | | | | |
| endpoint_addr | dhost | | | | | |
| netbios_destination_hostname | dhost | | | | | |
| mac_destination_address | dmac | | | | | |
| service | dpt | | | | | |
| usercheck_incident_uid | duid | | | | | |
| d_name | duser | | | | | |
| dst_user_name | duser | | | | | |
| orig_to | duser | | | | | |
| uname4domain | duser | | | | | |
| user | duser | | | | | |
| usercheck | duser | | | | | |
| vpn_user | duser | | | | | |
| endpoint_ip | dvc | | | | | |
| dlp_rule_uid | externalId | | | | | |
| uuid | externalId | | | | | |
| file_md5 | fileHash | | | | | |
| file_sha1 | fileHash | | | | | |
| file_id | fileId | | | | | |
| data_origin | filePath | | | | | |
| source_path | filePath | | | | | |
| file_type | fileType | | | | | |
| confidence_level | flexNumber1 | flexNumber1Label | Confidence | | | |
| dst_phone_number | flexNumber2 | flexNumber2Label | Destination Phone Number | | | |
| performance_impact | flexNumber2 | flexNumber2Label | Performance Impact | | | |
| app_sig_id | flexString1 | flexString1Label | Application Signature ID | | | |
| attack_info | flexString2 | flexString2Label | Attack Information | | | |
| malware_action | flexString2 | flexString2Label | Malware Action | | | |
| dlp_file_name | fname | | | | | |
| file_name | fname | | | | | |
| file_size | fsize | | | | | |
| client_inbound_bytes | in | | | | | |
| received_bytes | in | | | | | |
| attack | msg | | | | | |
| description | msg | | | | | |
| information | msg | | | | | |
| message | msg | | | | | |
| message_info | msg | | | | | |
| client_outbound_bytes | out | | | | | |
| sent_bytes | out | | | | | |
| attack_assessment | outcome | | | | | |
| status | outcome | | | | | |
| verdict | outcome | | | | | |
| termination_reason | reason | | | | | |
| to | Recipient | | | | | |
| redirect_url | request | | | | | |
| resource | request | | | | | |
| url | request | | | | | |
| client_name | requestClientApplication | | | | | |
| web_client_type | requestClientApplication | | | | | |
| http_referer | requestContext | | | | | |
| origin_sic_name | requestContext | | | | | |
| cookie | requestCookies | | | | | |
| method | requestMethod | | | | | |
| time | rt | | | append_string | append | 000 |
| mail_sender | Sender | | | | | |
| src_machine_name | shost | | | | | |
| industry_reference | Signature | | | | | |
| mac_source_address | smac | | | | | |
| domain_name | sntdom | | | | | |
| source_os | sourceServiceName | | | | | |
| te_verdict_determined_by | sourceServiceName | | | | | |
| scope | sourceTranslatedAddress | | | | | |
| vpn_internal_source_ip | sourceTranslatedAddress | | | | | |
| xlatesrc | sourceTranslatedAddress | | | | | |
| xlatesport | sourceTranslatedPort | | | | | |
| src_user_group | spriv | | | | | |
| port | spt | | | | | |
| s_port | spt | | | | | |
| client_ip | src | | | | | |
| start_time | start | | | append_string | append | 000 |
| email_address | suser | | | | | |
| from | suser | | | | | |
| orig_from | suser | | | | | |
| src_user_name | suser | | | | | |
