topic Re: Logs from Infinity Portal to Splunk in Portal

Logs from Infinity Portal to Splunk

roby198 — Fri, 22 Sep 2023 18:04:47 GMT

Hi.

I need to feed SPLUNK with logs from Infinity Portal.

I read that with Infinity Portal all logs and security events are stored in the Infinity Portal’s cloud-native as datalake in cloud.

It can forwarding events, as said in the doc, as "...an easy and secure procedure to export Infinity Portal data over the Syslog protocol. You can forward logs, events, and saved application data from your Check Point Infinity Portal account to a
SIEM (Security Information and Event Management) provider, such as Splunk, QRadar, or ArcSight".

In my case I want to send these event to a Splunk ES (SaaS cloud)

Questions:

How Can i choice the format of the log since there are different log format vendor SIEM as CEF, LEEF, maybe json for SPLUNK ?
If there is a solution for the point 1 do i need to set up a Splunk Forwarder (Splunk syslog server) to collect these logs from Infinity Portal and then send them to a Splunk Enterprise Security SAAS ?
Do the the Infinity Portal implement (transparently) the CheckPoint Log EXPORTER sw module on its components?

Thank you

Roby

Re: Logs from Infinity Portal to Splunk

PhoneBoy — Fri, 22 Sep 2023 22:58:53 GMT

Log Exporter runs on the Check Point management, not gateways.
In any case, it should be possible to set this up with Splunk, but only syslog format is supported per: https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Infinity-Portal-Admin-Guide/Content/Topics-Infinity-Portal/Event-Forwarding.htm#How
Which suggest you might need a Splunk syslog server.
Believe this can be confirmed through TAC: https://help.checkpoint.com

Re: Logs from Infinity Portal to Splunk

the_rock — Sat, 23 Sep 2023 14:54:57 GMT

My colleague and I did this for the customer couple of years back, will see if I can find the link about it here and send it over.

Andy

Re: Logs from Infinity Portal to Splunk

roby198 — Sat, 23 Sep 2023 18:29:00 GMT

Thank you Andy

Re: Logs from Infinity Portal to Splunk

the_rock — Sat, 23 Sep 2023 18:37:07 GMT

I believe this should help. Sorry for the delay, was out running, but I sure aint Haile Gebrselassie 🤣🤣

Andy

https://community.checkpoint.com/t5/Management/Log-exporter-amp-Splunk-TLS/m-p/126164#M27609

Re: Logs from Infinity Portal to Splunk

roby198 — Sat, 23 Sep 2023 18:45:28 GMT

Hi,

The point 3 question "Do the the Infinity Portal implement (transparently) the CheckPoint Log EXPORTER sw module on its components" it is : the LOG EXPORTER is implemented on management.

And , could the management be on a customer on-premise and the logs flow to Infinity Portal datalake in cloud? correct?

About point 1, I believed that the syslog protocol already transported the information in the various proprietary SIEM formats.

About point 2, I need Splunk Forwarder.

Thanks

Re: Logs from Infinity Portal to Splunk

the_rock — Sat, 23 Sep 2023 18:52:31 GMT

Point 3, correct.

Point 1, yes, that is the case.

Point 2, not 100% sure, but you may want to confirm with TAC.

Example I gave you was that my colleague and I had TAC set up cp log export so logs from S1C (smart 1 cloud) would go to SIEM.

Andy

Re: Logs from Infinity Portal to Splunk

PhoneBoy — Mon, 25 Sep 2023 16:53:27 GMT

Log Exporter runs on your Check Point management/log server.
If you're using Smart-1 Cloud or other services via Infinity Portal, this is where Log Exporter functionality is implemented.
If you want to include events from your on-prem managed services in Infinity Portal, this can be done with Horizon Events.

Re: Logs from Infinity Portal to Splunk

roby198 — Mon, 25 Sep 2023 19:26:15 GMT

Hi Andy , thank you so much, I'll follow the instructions in the link and i'll try it.

Roby

Re: Logs from Infinity Portal to Splunk

the_rock — Mon, 25 Sep 2023 19:28:55 GMT

No worries mate. I sure hope it works.

If any issues, let us know. Well, let us know the outcome either way : - )

Andy