topic Re: Export Logs To LogRhythm using Log Exporter in Firewall and Security Management

Export Logs To LogRhythm using Log Exporter

MIchael_Hovis — Thu, 30 May 2019 19:49:01 GMT

Has anyone used Log Exporter to export logs to LogRhythm? I have a Check Point managment server that is also the log server running R80.20. I've configured Log Exporter and am sending logs to LogRhythm using the CEF format. However, LogRhythm says they cannot parse the logs. Has anyone else run into this problem and found a solution?

Thanks.

Re: Export Logs To LogRhythm using Log Exporter

Richard_Amos — Fri, 31 May 2019 14:19:49 GMT

We were told by LR support that the only supported method is via OPSEC LEA. They said they are working on Log Exporter support, though no date was given. Very disappointing.

We did successfully get this going with LEA, however the events per second are massive and we don't seem to be getting any Threat Prevention logs. We are currently working on filtering events at the LR collector and will soon be looking into where those TP logs are at. We are not in a good position at the moment with these two products working together.

Another issue to keep an eye on with Log Exporter in general is that with R80.20/30 you cannot filter what is exported. I'm keeping my fingers crossed that this is worked out by the time LR gets around to supporting it.

Re: Export Logs To LogRhythm using Log Exporter

Tommy_Forrest — Fri, 31 May 2019 14:51:03 GMT

There was a post here a bit ago about log exporter being updated to add filtering capabilities.

SK122323

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323#Filter%20Configuration

Re: Export Logs To LogRhythm using Log Exporter

Richard_Amos — Fri, 31 May 2019 19:44:57 GMT

I think you are referring to the post announcing initial filtering support. If you look under the Installation section of that same KB it explicitly states filtering for R80.20 & R80.30 is not yet supported.

Re: Export Logs To LogRhythm using Log Exporter

Lari_Luoma — Sat, 11 Jan 2020 22:08:17 GMT

Does anyone know if Log Exporter support has been added by LogRhythm? If so, any example log_exporter configs for LogRhythm you could share?

Re: Export Logs To LogRhythm using Log Exporter

Shay_Hibah — Wed, 15 Jan 2020 12:08:45 GMT

Hey Lari,

LogRhythm is now supported by Log Exporter.

All you need to do is to download the hotfix package and install it using CPUSE.

The package can be found in SK122323.

Regarding the deployment command, please type:

cp_log_export add name <exporter_name> target-server <logrhythm_server_ip> target-port <port_number> protocol <tcp/udp> format logrhythm read-mode semi-unified

After that, please run:

cp_log_export start name <exporter_name>

Let me know if you have any issues with it,

Shay

Re: Export Logs To LogRhythm using Log Exporter

Lari_Luoma — Wed, 15 Jan 2020 19:10:12 GMT

Thanks Shay!

Re: Export Logs To LogRhythm using Log Exporter

Reuben_W — Thu, 06 Feb 2020 10:23:03 GMT

Hello Shayhi

We wish to do an Integration of Log Rhythm with r80.40 MGMT, is it directly supported by the new gaia without a hotfix as the is now hotfix for r80.40

Re: Export Logs To LogRhythm using Log Exporter

Shay_Hibah — Thu, 06 Feb 2020 10:34:08 GMT

Hi Reuben,

Log Exporter integration with LogRhythm is already part of R80.40 - no hotfix is required.

Shay

Re: Export Logs To LogRhythm using Log Exporter

jrolim — Fri, 22 May 2020 11:22:41 GMT

Hi @Shay_Hibah ,

And for R80.10, is there any chance of Log Exporter integration with LogRhythm?

I see there are Hotfixes available for this integration with R80.20 and R80.30, but not for R80.10 hence my question.

Thanks and regards,

Joao

Re: Export Logs To LogRhythm using Log Exporter

Shay_Hibah — Sat, 23 May 2020 11:25:53 GMT

Hi @jrolim

Unfortunately LogRhythm is not supported on R80.10.
From R80.20 our infrastructure was changed and we are able to support LogRhythm as well due to this change.

Shay