Difference on Harmony Endpoint Log Exporter vs Event Forwarding

farisarch — Wed, 06 Aug 2025 07:53:35 GMT

Hello all,

Our team is currently building an in house SOC and utilizing events generated by Harmony Endpoint to feed the SIEM.

From what we have tested, there are two ways to send event logs from Harmony Endpoint to our SIEM which are:

1. Infinity Portal Event Forwarding

2. Harmony Endpoint Export Events or Log Exporter.

I've tried finding information on the difference of these two but there aren't many.

One that I notice is that Event Forwarding requires mTLS to be configured or you can't proceed, and there are no port restrictions during the configuration.

Log exporter has options whether to sent over port 514 or encrypted port 6514.

Other than that Event forwarding has options to create rules to forward services based on your needs.

Thank you in advance.

Re: Difference on Harmony Endpoint Log Exporter vs Event Forwarding

PhoneBoy — Mon, 11 Aug 2025 13:51:19 GMT

The main difference, at least from what I can see in the docs, is what data is forwarded (all services managed via Infinity Portal versus just the stuff for Harmony Endpoint).
Note that both of these features require a license (based on log volume).

Re: Difference on Harmony Endpoint Log Exporter vs Event Forwarding

farisarch — Wed, 13 Aug 2025 01:09:41 GMT

Yep, that is one of the main difference I noticed early on, though one thing we noticed is that there is a bit of format difference and naming convention from both but not all fields. There is also a big one we noticed where there is a long delay for forwarding logs to our syslog server for Event Forwarding. The first related log appeared on the Infinity Portal on 10:55:25 am yet Event Forwarding seems to have a delay in forwarding sometimes up to 15 minutes. Not sure if it's a region thing or intended behavior.

Top one is event forwarding, the other one is from log exporter

Aug 7 11:05:53 20.73.193.110 1 2025-08-07T03:05:04.07Z Checkpoint eventforwarding-ac9290f2-f72f-4a1d-b6af-1244619f7a23 1650 - - {"time":"2025-08-07 02:56:10","id":"a4640108-dc71-f638-6894-161300000002","orig":"164.100.1.8","sequencenum":1,"action":"Prevent","i_f_dir":"inbound","policy_date":"2025-07-22T03:18:50Z","severity_int":3,"confidence_level_int":0,"protection_type":"URL Filtering","advanced_info":"\"exclusions\":[{\"exclusion_engine_type\":\"URL Filtering exclusions\",\"exclusion_type\":\"Domain\",\"exclusion_value\":{\"default_value\":\"www.yarenhost.com\",\"md5\":\"\",\"original_name\":\"\",\"signer\":\"\",\"process\":\"\",\"protection\":\"\",\"comment\":\"\"}}]","app_id":"0","app_properties":["Phishing, Low Risk"],"app_rule_id":" ","app_rule_name":" ","appi_name":"www.yarenhost.com","client_name":"Check Point Endpoint Security Client","client_version":["89.00.0430"],"description":"To exclude: Open the Harmony Management -> POLICY -> Threat Prevention -> EXCLUSION CENTER -> Web and Files Protection -> URL Filtering exclusions -> + -> paste this: www.yarenhost.com","dst":"0.0.0.0","event_type":"URLF Info Event","host_type":["Desktop"],"installed_products":"Firewall; Compliance; Application Control; Anti-Malware; VPN; Anti-Bot; Forensics; Threat Emulation","local_time":1754564170,"machine_guid":" ","matched_category":"Phishing","os_name":["Microsoft Windows 10 Home"],"os_version":["10.0-19045-SP0.0-SP"],"policy_name":"Default Anti-Bot settings","policy_number":3,"process_exe_path":"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe","product":"URL Filtering","product_family":"Endpoint","protection_name":"gen.urlf","reason":" ","resource":["https://www.yarenhost.com/"],"src":"192.168.237.165","src_machine_name":"DESKTOP-LDO9MC8","src_user_name":["fais"],"tenant_id":"REDACTED","user_name":" ","user_sid":"S-1-5-21-1451181116-1303984464-599200800-1001","usercheck_incident_uid":"3690ac7d","web_client_type":["Edge"],"domain":"SMC User","orig_log_server":"12c7035e-2b86-a94c-adcf-651a16d773de","orig_log_server_ip":"164.100.1.8","trimTime":"2025-08-07 02:56:00","trimHour":"2025-08-07 02:00:00","trimDate":"2025-08-07 00:00:00","hourOfDay":2,"severity":"High","confidence_level":"N/A","type":"Log","dedup_time":"2025-08-07 02:56:10.000001","__id":"2025-08-07 02:56:10_2025-08-07 02:56:10.000001"}

Aug 7 10:57:04 52.210.248.134 1 2025-08-07T02:55:25Z i-0788aba73fdeed2a7 CheckPoint 31993 - [action:"Prevent"; flags:"131072"; ifdir:"inbound"; loguid:"{0x689415eb,0x0,0x80164a4,0x3e807cf9}"; origin:"164.100.1.8"; sequencenum:"1"; time:"1754535325"; version:"5"; __policy_id_tag:" "; advanced_info:"{\"exclusions\":[{\"exclusion_engine_type\":\"URL Filtering exclusions\",\"exclusion_type\":\"Domain\",\"exclusion_value\":{\"default_value\":\"www.yarenhost.com\",\"md5\":\"\",\"original_name\":\"\",\"signer\":\"\",\"process\":\"\",\"protection\":\"\",\"comment\":\"\"}}\]}"; app_id:"0"; app_properties:"Phishing, High Risk"; app_rule_id:" "; app_rule_name:" "; appi_name:"www.yarenhost.com"; client_name:"Check Point Endpoint Security Client"; client_version:"89.00.0430"; confidence_level:"N/A"; description:"To exclude: Open the Harmony Management -> POLICY -> Threat Prevention -> EXCLUSION CENTER -> Web and Files Protection -> URL Filtering exclusions -> + -> paste this: www.yarenhost.com"; dst:"0.0.0.0"; event_type:"URLF Info Event"; host_type:"Desktop"; installed_products:"Firewall; Compliance; Application Control; Anti-Malware; VPN; Anti-Bot; Forensics; Threat Emulation"; local_time:"1754564125"; machine_guid:" "; matched_category:"Phishing,High Risk"; os_name:"Microsoft Windows 10 Home"; os_version:"10.0-19045-SP0.0-SP"; policy_date:"1753154330"; policy_name:"Default Anti-Bot settings"; policy_number:"3"; process_exe_path:"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe"; product:"URL Filtering"; product_family:"Endpoint"; protection_name:"gen.urlf"; protection_type:"URL Filtering"; reason:" "; resource:"https://www.yarenhost.com/"; severity:"3"; src:"192.168.237.165"; src_machine_name:"DESKTOP-LDO9MC8"; src_user_name:"fais"; tenant_id:"REDACTED"; user_name:" "; user_sid:"S-1-5-21-1451181116-1303984464-599200800-1001"; usercheck_incident_uid:"b694ea32"; web_client_type:"Edge"]

Re: Difference on Harmony Endpoint Log Exporter vs Event Forwarding

PhoneBoy — Wed, 13 Aug 2025 19:40:05 GMT

If "events" are being sent, I imagine some time might be needed to ensure all data for that event is correlated, thus the delay.
It might also explain some differences in the logging.

topic Re: Difference on Harmony Endpoint Log Exporter vs Event Forwarding in Portal

Difference on Harmony Endpoint Log Exporter vs Event Forwarding

Re: Difference on Harmony Endpoint Log Exporter vs Event Forwarding

Re: Difference on Harmony Endpoint Log Exporter vs Event Forwarding

Re: Difference on Harmony Endpoint Log Exporter vs Event Forwarding