topic Re: LEA vs Log exporter to send to splunk in Firewall and Security Management

LEA vs Log exporter to send to splunk

dantlitz — Mon, 04 May 2020 14:31:17 GMT

We are in the process of configuring our CP environment to send logs to a managed Splunk instance. With that said we are trying to get a definitive answer on the direction to go (LEA / Log Exporter) Our partner wants to use LEA but it seems like that is old school and will limit us moving forward. So the questions are:

What is the road map for LEA support?

Is there any benefit of LEA over log exporter?

Is Log Exporter a better alternative and why?

Is there an official Check Point position on the future of these two technologies?

Has anyone else run into this issue and what was your section / Why??

Thanks in advance

Re: LEA vs Log exporter to send to splunk

Tal_Paz-Fridman — Mon, 04 May 2020 14:41:07 GMT

I refer you that the following post:

https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-vs-OPSEC-LEA/td-p/65738

HTH

Re: LEA vs Log exporter to send to splunk

Tomer_Noy — Tue, 05 May 2020 06:35:32 GMT

For clarity, I want to explicitly emphasize:

Check Point's recommendation for exporting logs is to use LogExporter, not LEA.

It has better performance, stability and continues to get new features and capabilities.

Specifically for Splunk, it also has much better integration and a very cool Check Point Splunk App with views to better visualize Check Point log data.

Re: LEA vs Log exporter to send to splunk

S_E_ — Tue, 05 May 2020 07:38:31 GMT

...Has anyone else run into this issue and what was your section / Why?? ...

We are running log exporter and it really matches our requirements.

Running multiple instances to multiples destinations works fine. Performance is good. Easy implementation compared to LEA or CPlogToSyslog

Only drawback (perhaps fixed meanwhile) is that the filter origin does not work.

Best Regards

Re: LEA vs Log exporter to send to splunk

Dror_Aharony — Tue, 05 May 2020 07:50:43 GMT

Great news (S_E).
Happy to hear you like our new log-Exporter.

Origin field filter should work.

Which version/build are you using?

cpvinfo $EXPORTERDIR/log_exporter

cpvinfo $EXPORTERDIR/targets/<your_exporter_name>/log_exporter

Re: LEA vs Log exporter to send to splunk

S_E_ — Tue, 05 May 2020 08:00:54 GMT

hi,
atached is the version.
Regards

cpvinfo $EXPORTERDIR/log_exporter
** Version info attributes of '/opt/CPrt-R80.30/log_exporter/log_exporter' **

Type = executable
Name = log_indexer
Module Name = log_indexer
Build Number = 993000017
Major Release = NGX
Minor Release = heat_main
Release Number = 5.0.5
Version Name = NGX
Interface Version = 0
Implementation Version = 6
Internal Name = log_indexer
Configuration = linux50/release.static
Comments = NULL
Company Name = Check Point Software Technologies LTD.
Legal Copyright = (c) 2005-2009 Copyright Check Point Software Technologies Ltd

Re: LEA vs Log exporter to send to splunk

Dror_Aharony — Tue, 05 May 2020 08:03:19 GMT

cpinfo -y all (for JHF version) too, please.

Re: LEA vs Log exporter to send to splunk

S_E_ — Tue, 05 May 2020 08:05:51 GMT

cpinfo -y all | grep Take

This is Check Point CPinfo Build 914000191 for GAIA
Local host is not a Gateway
HOTFIX_R80_30_JUMBO_HF_MAIN Take: 50
HOTFIX_R80_30_JUMBO_HF_MAIN Take: 50

Re: LEA vs Log exporter to send to splunk

Dror_Aharony — Tue, 05 May 2020 09:26:19 GMT

new Filtering feature for log-exporter is only supported from JHF_t107 onwards on R80.30.

Please install latest R80.30-JHF (t191 currently as of 05.05.20).
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk153152&partition=General&product=Security

from log-exporter sk (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323&partition=General&product=SmartEvent😞

Filtering: choose what to export based on field values.
(Note: Filtering ability is integrated to Jumbo Hotfix Accumulator for R80.30 since Take_107, and to Jumbo Hotfix Accumulator for R80.20 since Take_103.)

Re: LEA vs Log exporter to send to splunk

John_Tomasetti — Mon, 11 May 2020 16:14:45 GMT

Log exporter works great. One caveat you have to be aware of is that the log exporter configuration seems to be blown away with version upgrades. We have a standalone log server separate from the management station. When we upgraded from R80.20 to R80.30 the log exporter configs were overwritten. Same problem occurs with your SSH configuration. If you want to change the SSH port from something other than 22, the changes you make to /etc/ssh/sshd_config are overwritten.

Re: LEA vs Log exporter to send to splunk

Wolfgang — Mon, 11 May 2020 16:44:27 GMT

It‘s possible to include log exporter config in systembackup following

How to include the configuration of Log Exporter in system backup

or simple backup the target directory following
How to backup and restore Log Exporter configuration on upgrades to

I would prefer LogExporter over LEA, less CPU usage, very good filtering options and some really nice integration for a lot of the common log systems.

Wolfgang

Re: LEA vs Log exporter to send to splunk

Dan_Zada — Mon, 18 May 2020 12:52:02 GMT

Hi,

I will be happy to understand why the origin filter is not working, it should work.

How did you configure it?

Re: LEA vs Log exporter to send to splunk

Dan_Zada — Mon, 18 May 2020 12:54:28 GMT

@dantlitz - Check Point's and also Splunk's recommendation is to use Log Exporter. We also released brand new Splunk application that works with the Log exporter format.