Exporting Check Point logs over syslog (LogExporter) with Log Server (CP)

Chinmaya_Naik — Wed, 18 Jul 2018 07:17:22 GMT

Requirement: Exporting Check Point logs over Syslog (LogExporter) to SIEM.

Dedicated Log server (CP) with R77.30 GAIA OS

Step 01: Check the current Hotfix install on Log server (CP)

Using CLI: installed_jumbo_take and cpinfo -y all

Using WebUI: "Status and Actions" section.

Step 02: If take_338 or above is exit then skip this step (step 02) or else follow the below process

:- Open the WebUI of Log Serer (CP) then go to the "Status and Actions" and import the HOTFIX package then verify and then install the package.

:- For Latest HotFix and installation, refer sk106162,sk92449

Hotfix take_338

Link: Jumbo_HotFix_take_338

NOTE: Verify the MD5 value

NOTE: Reboot is required

Step 03: After installation of jumbo hotfix needs to install the below HOTFIX.

Check_Point_R77.30_Log_Exporter_T25_sk122323_FULL.tgz Link: R77.30 Log Exporter T30 (R77.30)

R80.10 Log Exporter T41 sk122323 Link: R80.10 Log Exporter T41 (R80.10)

NOTE: Verify the MD5 value

NOTE: Reboot is required

:- Open the WebUI of Log Server then go to the "Status and Actions" and import the HOTFIX package then verify and then install the package.

:- Refer sk92449 for HotFix Installation using CPUSE or legacy CLI method.

Step 04: Open the CLI of Log Server (CP) server.

Below two command required to execute.

1st: cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server> target-port <target-port> protocol <(udp|tcp)> format <(syslog)|(cef)> [optional arguments]

EXAMPLE : cp_log_export add name ArcSight target-server 192.168.10.6 target-port 514 protocol tcp format syslog

Name:- Any name example: ArcSight

192.168.10.5: Log server (Checkpoint)

192.168.10.6: SIEM

2nd: cp_log_export <command-name>

EXAMPLE:

cp_log_export start <stop / status / restart >

Step 05: verify by running tcpdump command.

EXAMLE:- tcpdump -nni eth0 port '514'

NOTE: Need to configure from SIEM side as well.

NOTE: Jumbo Hotfix may you take the latest one as per the new release, my case I am using take_338

Refer SK: sk122323 for more details.

NOTE: On R80.20 onwards no need to install any additional HotFix, latest jumbo take is enough.

#Chinmaya Naik

Re: Exporting Check Point logs over syslog (LogExporter) with Log Server (CP)

HeikoAnkenbrand — Wed, 18 Jul 2018 10:03:51 GMT

See this article for R80.10:

R80.10 Syslog Exporter

Regards

Heiko

Re: Exporting Check Point logs over syslog (LogExporter) with Log Server (CP)

DeletedUser — Wed, 02 Jan 2019 04:27:07 GMT

I'm curious, are you saying you used Log Exporter with the syslog format option to send Check Point logs to Alien Vault?

As far as I can tell, their documentation hasn't included this as an option yet so am curious to see if this is working for you.

https://www.alienvault.com/documentation/usm-anywhere/supported-plugins/configuring-checkpoint-fw1-generic.htm?tocpath=D…

thank you,

bob

Re: Exporting Check Point logs over syslog (LogExporter) with Log Server (CP)

Chinmaya_Naik — Wed, 02 Jan 2019 06:33:07 GMT

Sorry Bob i forget to remove "(my case Alien Vault)".

Yes you are correct also i check in lab also its not work.

topic Exporting Check Point logs over syslog (LogExporter) with Log Server (CP) in Firewall and Security Management

Exporting Check Point logs over syslog (LogExporter) with Log Server (CP)

Re: Exporting Check Point logs over syslog (LogExporter) with Log Server (CP)

Re: Exporting Check Point logs over syslog (LogExporter) with Log Server (CP)

Re: Exporting Check Point logs over syslog (LogExporter) with Log Server (CP)