topic Re: Exporting R80.10 logs to Logstash ( ElasticSearch integration) in Firewall and Security Management

Exporting R80.10 logs to Logstash ( ElasticSearch integration)

Lukas_Nagy — Fri, 25 Aug 2017 11:09:54 GMT

Hello,

we are trying to integrate logs from Check Point Management server into Logstash. We are using opensource tool fw1-loggrabber with support of new OPSEC API (SHA-256) supported. Exporting works, however I couldn't find a proper documentation of the fields that can be found in logs. There is not really a true structure of logs, many line have different fields and those fields are not documentated.

Is there a document that show every field that can be exported? I just found an old LEA document, but it is missing a lot of fields. (http://dl3.checkpoint.com/paid/0f/LEA_Fields_2011.pdf?HashKey=1503666450_ebd2eeca265aaca0f531f781169c8948&xtn=.pdf ).

Writing rules for matching in Logstash is very difficult, without the knowledge what we can expect. We were following Check Point Firewall Logs and Logstash (ELK) Integration - /dev/random

Thank you for any insight how we can do this better.

Re: Exporting R80.10 logs to Logstash ( ElasticSearch integration)

PhoneBoy — Fri, 25 Aug 2017 15:58:51 GMT

I've added a couple of updated documents on LEA:

Re: Exporting R80.10 logs to Logstash ( ElasticSearch integration)

Haichao_Xie — Sat, 27 Apr 2019 16:27:48 GMT

perfect! I face same issue. will try this, Thanks a lot! sir.

Re: Exporting R80.10 logs to Logstash ( ElasticSearch integration)

Maarten_Sjouw — Sat, 27 Apr 2019 18:14:01 GMT

Nowadays it might be more useful to use CP log exporter instead

Re: Exporting R80.10 logs to Logstash ( ElasticSearch integration)

Haichao_Xie — Sun, 28 Apr 2019 00:52:26 GMT

thank you! sir. will check our Log Exporter work with ELK stack.

Re: Exporting R80.10 logs to Logstash ( ElasticSearch integration)

Julian_Sanchez — Tue, 31 Mar 2020 20:00:21 GMT

I believed with a SMS in R80.20 is possible send logs to logstash through syslog.