topic Re: Log Exporter Checkpoint R80.40 in Firewall and Security Management

Log Exporter Checkpoint R80.40

LostBoY — Tue, 28 Jul 2020 12:30:54 GMT

Hello,

I want to integrate my Checkpoint instance to DataDog.. i am wondering what is the best way to do so.. should i just configure a syslog server , forward all Checkpoint logs to that syslog and integrate that syslog server with datadog.

Additionally, i also came across "Log Exporter" feature in Checkpoint but i didnt get it completely. Does log exporter enables integration directly with SIEM tools ? do i need to install any additional plugins on the GWs for it to function.

Re: Log Exporter Checkpoint R80.40

PredragPetrovic — Tue, 28 Jul 2020 15:17:35 GMT

Hi,

There are many approaches that you can do to achieve this. So far I've used a syslog server to export logs and then ship them to the right platform (e.g. Azure Log Analytics), and in some cases I have used OPSEC integration with some vendors and systems. In essence it boils down to your preference, needs and specifications.

Cheers,

Predrag

Re: Log Exporter Checkpoint R80.40

Gomboragchaa — Tue, 28 Jul 2020 15:21:21 GMT

Hi @LostBoY ,

I would suggest to use Log Exporter. It is really easy to configure and you can use filter as well.

If you use the Log Exporter, the remote SIEM tool will be recieve logs through syslog. You don't need to install any other plugins.

Please find sk122323 .

Re: Log Exporter Checkpoint R80.40

LostBoY — Tue, 28 Jul 2020 16:59:08 GMT

Thanks for the reply.. so if i understand this correctly i need to use log exporter to send all the logs from Mgmt Server to a syslog server... i can then add that syslog server to the SIEM tool ?

Re: Log Exporter Checkpoint R80.40

LostBoY — Tue, 28 Jul 2020 17:00:28 GMT

Thanks for the reply... so it means i should export the logs to a syslog server... then add that syslog server to the SIEM Also, there is an option to create a syslog server in SmartConsole via New Object -Server and so on.. is it one and the same thing.

Re: Log Exporter Checkpoint R80.40

LostBoY — Tue, 28 Jul 2020 17:13:13 GMT

Alright so i configured a log exporter in Mgmt Server.. the syslog server is in the same vlan as that of MGMT Server. I can see the process running via commands - cp_log_export status cp_log_export server However, at the syslog server end no logs are visible it is just showing the Mgmt Firewall hostname and the process id.. am i missing something here ? Thanks

Re: Log Exporter Checkpoint R80.40

PredragPetrovic — Tue, 28 Jul 2020 17:58:27 GMT

As I have said there are multiple ways to do this. What is the most logical way its up to you... When using cp_log_export tool after adding the log export just restart the added export and it will start exporting the logs. Ensure that necessary ports are open (e.g. Azure NSG's or AWS SecurityGroups where the Syslog is located).

cp_log_export add name to_RemoteServer target-server X.X.X.X target-port 514 protocol udp format syslog

cp_log_export restart name to_RemoteServer

After what you do from the syslog its up to you and DataDog agent 🙂

Re: Log Exporter Checkpoint R80.40

LostBoY — Wed, 29 Jul 2020 05:33:54 GMT

Thanks, i have configured log exporter like this.. however, at the syslog server i can just see the process id and management server hostname displayed but no connection logs.. do i need to enable any thing else vis log exporter commands.

Thanks

Re: Log Exporter Checkpoint R80.40

gdobson — Mon, 01 Mar 2021 17:59:14 GMT

Hi,

did you ever solve this - I get exactly the same (R80.40) - my syslog server just receives Time/Log Server/PID - nothing useful!!

Thanks

Graham

Re: Log Exporter Checkpoint R80.40

Sven — Thu, 18 Mar 2021 13:52:22 GMT

Hi,

i have updated my firewall to 80.40 and as i read the log_exporter is integrated. But via ssh i can't set the command cp_log_export because of invalid command .

Can someone help me please ?

Thx.

Sven

Re: Log Exporter Checkpoint R80.40

LostBoY — Wed, 14 Apr 2021 16:13:32 GMT

no unfortunately i didnt get any resolution for this.. i end up exporting logs from individual gateways but it doest not serve the purpose..i guess it does not include any audit logs or deny logs

Re: Log Exporter Checkpoint R80.40

LostBoY — Thu, 05 Aug 2021 12:44:05 GMT

were you able to fix this ?

Re: Log Exporter Checkpoint R80.40

genisis__ — Thu, 05 Aug 2021 21:21:08 GMT

On R81 Log exporter basic settings can now be configured within the management object.

Re: Log Exporter Checkpoint R80.40

genisis__ — Thu, 05 Aug 2021 21:22:37 GMT

did you run cp_log_export from expert mode? This should work.