topic Re: Sending syslog from CheckPoint R81 to SIEM in Firewall and Security Management

Sending syslog from CheckPoint R81 to SIEM

Arturxr — Mon, 21 Mar 2022 09:43:54 GMT

Hi, tell me, is it possible to configure syslog so that administration data is also transmitted to SIEM (actions performed by administrators on the management server, events related to changing system objects?

Re: Sending syslog from CheckPoint R81 to SIEM

Wolfgang — Mon, 21 Mar 2022 09:51:18 GMT

@Arturxr

Log Exporter - Check Point Log Export will be the tool for your need. You can forward audit logs only .

Re: Sending syslog from CheckPoint R81 to SIEM

Arturxr — Mon, 21 Mar 2022 10:25:09 GMT

Yes, I studied this sk, only security and audit logs are sent, it turns out that they do not contain administration data and cannot be sent to siem in any way?

Re: Sending syslog from CheckPoint R81 to SIEM

Wolfgang — Mon, 21 Mar 2022 11:58:36 GMT

@Arturxr please explain "administration data", maybe with an example which information do you need to send to the SIEM.

If you change something in the rulebase or change objects, these changes are collected in the audit log.

Re: Sending syslog from CheckPoint R81 to SIEM

Arturxr — Mon, 21 Mar 2022 13:14:38 GMT

In SIEM, it is necessary to transfer information on changing objects (rules, hosts, subnets, etc.)
This information comes through OPSEC, but can it be configured through the Log Exporter?

Re: Sending syslog from CheckPoint R81 to SIEM

Wolfgang — Mon, 21 Mar 2022 13:28:01 GMT

@Arturxr as I wrote in my post, this information"changing objects (rules, hosts, subnets, etc." is logged in the audit logs of your SMS and it's possible to send them to SIEM . Have a look at the audit log view in Smartconsole, every information shown there can be send to SIEM. There is no need for the use of the OPSEC interface, LogExporter does this.

Re: Sending syslog from CheckPoint R81 to SIEM

Arturxr — Mon, 21 Mar 2022 13:28:38 GMT

I understand correctly? is it set up here?

Re: Sending syslog from CheckPoint R81 to SIEM

Wolfgang — Mon, 21 Mar 2022 13:41:59 GMT

Yes, that's correct. If you want to send audit logs only you have to do advanced configuration and change the configuration xml file. Change <log_types> all </log_types> to <log_types> audit </log_types>.

Re: Sending syslog from CheckPoint R81 to SIEM

Arturxr — Mon, 21 Mar 2022 13:59:08 GMT

Thanks, where can I find this xml file?

Re: Sending syslog from CheckPoint R81 to SIEM

Wolfgang — Mon, 21 Mar 2022 14:21:08 GMT

Everything you need is found here, please read this.

Log Exporter - Check Point Log Export

The Log Exporter configuration for the target server is saved in:
$EXPORTERDIR/targets/<Name of Log Exporter Configuration>/targetConfiguration.xml

Re: Sending syslog from CheckPoint R81 to SIEM

jimmyjose2980 — Thu, 14 Nov 2024 08:22:01 GMT

@Wolfgang,

For a company using Splunk as their SIEM solution, does selecting the format "Splunk" in the "Data Manipulation" page of the Log Exporter provide any major benefits over selecting "Syslog"?

What could be the advantages and disadvantages of selecting the format "Splunk"?

Re: Sending syslog from CheckPoint R81 to SIEM

Wolfgang — Thu, 14 Nov 2024 20:25:33 GMT

@jimmyjose2980 if you export your data directly to Splunk you have to choose Splunk, if you export to a syslog server you choose syslog. With the correct data manipulation you get the correct mapping from Check Point fields to Splunk fields in the data format. You can configure your own mapping for every data fields, but Check Point did this job and default profiles for the most common SIEM solutions are ready to use.

Re: Sending syslog from CheckPoint R81 to SIEM

jimmyjose2980 — Thu, 14 Nov 2024 22:21:22 GMT

@Wolfgang, thank you for your response!

From what I understand from the documentation is that regardless of whether I choose "Syslog" or "Splunk" as the log format in Log Exporter, I can either select TCP or UDP protocol. Is there a way I could configure HTTPS to encrypt the packets from Check Point to Syslog or Splunk?

Re: Sending syslog from CheckPoint R81 to SIEM

Wolfgang — Fri, 15 Nov 2024 07:36:38 GMT

@jimmyjose2980 see Log Exporter TLS Configuration and Log Exporter Instructions for Specific SIEM

Re: Sending syslog from CheckPoint R81 to SIEM

jimmyjose2980 — Fri, 15 Nov 2024 09:47:08 GMT

@Wolfgang, thanks! This will help me set up TLS configuration if I use the "Syslog" log format in "Data Manipulation". However, this configuration does not seem to support TLS configuration if I chose "Splunk" as the log format. What is your take on it?

Re: Sending syslog from CheckPoint R81 to SIEM

Wolfgang — Fri, 15 Nov 2024 12:24:19 GMT

The connection to splunk can be encrypted. Follow Log Exporter Instructions for Specific SIEM and a more detailed description Utilizing Mutual TLS Authentication with Log Expor... - Check Point CheckMates

Re: Sending syslog from CheckPoint R81 to SIEM

jimmyjose2980 — Wed, 20 Nov 2024 11:14:47 GMT

Great, thank you @Wolfgang!

Re: Sending syslog from CheckPoint R81 to SIEM

Matlu — Sun, 31 Aug 2025 14:18:12 GMT

Hello @Wolfgang

Is it possible to integrate a Check Point MDS against a Wazuh SIEM?

The configuration to send the logs to the SIEM (if Wazuh is supported) must be done in the main MDS or is it done in all the CMA (1x1)?

Thanks

Re: Sending syslog from CheckPoint R81 to SIEM

Wolfgang — Mon, 01 Sep 2025 08:11:00 GMT

@Matlu you can do an export from only some CMAs or for all, it depends on your needs.

But you can do it for all, see the documentation Deployment of Log Exporter in CLI

The "domain-server" argument is mandatory on a Multi-Domain Security Management Server / Multi-Domain Log Server.
- mds (in small letters) - Exports logs from only the MDS level.
- all (in small letters) - Exports logs from all Domains.

I'm not familiar with export to Wazuh but it should work. You have to play something with the fields of the export.