topic Re: R80.10 Syslog Exporter in Firewall and Security Management

R80.10 Syslog Exporter

HeikoAnkenbrand — Wed, 20 Mar 2019 20:13:03 GMT

Via Check Point Support you get a Syslog exporter for SIEM applications for R80.10 Managment.

Which allows an easy and secure method for exporting CP logs over syslog. Exporting can be done in few standard protocols and formats.

Log Exporter supports:

Splunk
Arcsight
RSA
LogRhythm
QRadar
McAfee

Log Exporter is a multi-threaded daemon service, running on a log server. Each log that is written on the log server is read by the log exporter daemon, transformed into the desired format and mapping, and then sent to the end target.

Installation on R80.10 Jumbo Hotfix Take 56 or higher.

Syntax:

# cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server> target-port <target-port> protocol <(udp|tcp)> [optional arguments]

Command Name	Command Description
add	Deploy a new Check Point logs exporter.
set	Updates an exporter's configuration.
delete	Removes an exporter.
show	Prints an exporter's current configuration.
status	Shows an exporter's overview status.
start	Starts an exporter process
stop	Stops an exporter process.
restart	Restarts an exporter process.
reexport	Resets the current position, and re-exports all logs per the configuration.

Regards,

Heiko

Re: R80.10 Syslog Exporter

Pablo_Montega — Mon, 19 Mar 2018 16:58:53 GMT

Where can I get the installation package?

Re: R80.10 Syslog Exporter

Vladimir — Mon, 19 Mar 2018 17:04:10 GMT

Heiko,

If you've had a chance to use this tool, please advise if it is possible to:

1. Create separate processes for individual gateways writing to the log server?

2. Resolve gateway names before shipping logs to the destination SIEM for the "Origin" fields?

Thank you,

Vladimir

Re: R80.10 Syslog Exporter

PhoneBoy — Mon, 19 Mar 2018 18:11:47 GMT

We are planning to release this tool more generally very VERY soon

Re: R80.10 Syslog Exporter

christian_konne — Mon, 19 Mar 2018 18:59:21 GMT

In witch hotfix?

Re: R80.10 Syslog Exporter

PhoneBoy — Tue, 20 Mar 2018 15:53:33 GMT

The official release: Logs Exporter - Check Point Logs Export

To answer your question about "which hotfix" christian konner‌, it's installed over a R77.30/R80.10 management/log server (not gateway) with a recent jumbo hotfix.

Re: R80.10 Syslog Exporter

Yonatan_Philip — Wed, 21 Mar 2018 17:16:58 GMT

Hello Vladimir,

You can install multiple instances of the log exporter but you cannot separate them by gateways.

The tool reads from the log files (such as fw.log) in your $FWDIR/log directory.
There are some filtering capabilities, but for the first release, they are mostly focused on key (field) based filters and not value based filters.

You can filter by 'action' but not by 'accept'/'drop'.

We plan to add more advanced filtering capabilities in future releases.

regards,

Yonatan

Re: R80.10 Syslog Exporter

Vladimir — Wed, 21 Mar 2018 17:20:40 GMT

Thank you for the info.

Any plans to re-introduce syslog output directly from gateways, the r77.30 style?

Re: R80.10 Syslog Exporter

Yonatan_Philip — Wed, 21 Mar 2018 17:28:48 GMT

Are you referring to the OPSEC LEA tool?
If so, I personally am not aware of any such plans to refresh it, but as far as I know, that tool still exists in R80.10.

The new log exporting tool is a direct replacement for the CPLogToSyslog tool. We will be retiring the CPLogToSyslog tool, but I don't know of any plan to retire other tools (such as the OPSEC LEA tool).

Regards,

Yonatan

Re: R80.10 Syslog Exporter

HeikoAnkenbrand — Wed, 21 Mar 2018 17:58:00 GMT

Hi,

the tool is very helpful.

We have two customers who use it.

Can you say something about how it's gonna be included in the next HFA?

Little note:
The Syslog entry contains firewall rules and thread rules in one line. So some fields have the same name, we have the problem that we cannot index the fields in LogRythm.

Re: R80.10 Syslog Exporter

Yonatan_Philip — Wed, 21 Mar 2018 18:05:31 GMT

Hello Heiko,

The plan at this point in time is to have the tool directly integrated into R80.20 (no hotfix needed).

Regarding a future R80.10 HFA integration - at this point in time we have not yet reached a decision on this subject.

As to your point on LogRhythm - it's true that there are many instances where fields will be sent more than once.
Sometimes it will be the same field (that is, both instances will have identical information) and sometimes it will be different fields, such as in the case of multiple layers (each layer will have an action field).

We plan to address the former to some degree in the next log exporter release, but the later is inherent to the way our logs are built. I don't think there is any feasible way to resolve this while still keeping all the relevant data in the log.

Those fields appear twice because they represent data which appears twice (like the above example, of one action per layer).

We have been in contact with LogRhythm, and they are aware of the new tool, and I also know that they have been working on it from their end.

However, I cannot speak for them and am not privy to the details of how/if they plan to address this.

Regards,

Yonatan

Re: R80.10 Syslog Exporter

Vladimir — Wed, 21 Mar 2018 19:00:09 GMT

No, I am talking about R77.30 add-on: How to configure R77.30 Security Gateway on Gaia OS to send FireWall logs to an external Syslog server

Re: R80.10 Syslog Exporter

HeikoAnkenbrand — Wed, 21 Mar 2018 19:03:49 GMT

Hello Yonatan,

thx for this info.

Regards,

Heiko

Re: R80.10 Syslog Exporter

ANTONIO_OPROMO1 — Thu, 22 Mar 2018 08:15:30 GMT

Hi, I've used the CPLogToSyslog package to export the check point logs (based on the cplogtostosyslog rules) to an external syslog server (Extreme Networks Management server) for automate the process for block ip address to the edge of the networks via ExtremeControl NAC.

Now seems that the new method described above is compatible only with some SIEM, but is not general as the previous one, and most important is not possible to define rules for filter was is important to export to the SIEM.

Is this true?

How is possible to know more and test the new tool for see if is still possible to integrate with the Extreme Management syslog server.

Thanks,

Antonio

Re: R80.10 Syslog Exporter

G_W_Albrecht — Thu, 22 Mar 2018 10:17:54 GMT

sk122323 Logs Exporter - Check Point Logs Export says that Log Exporter supports:

SIEM applications: Splunk\Arcsight\RSA\LogRhythm\QRadar\McAfee\rsyslog\ng-syslog and any other SIEM application that can run a syslog agent.
Protocols: syslog over TCP or UDP.
Formats: Syslog, CEF, LEEF, Generic.
Security: Mutual authentication TLS.The ability to export logs/audit or both.
Filter out (don't export) firewall connections logs.

Re: R80.10 Syslog Exporter

ANTONIO_OPROMO1 — Thu, 22 Mar 2018 14:07:35 GMT

Hi,

when will be supported the filter out of all the blades (Threat Emulation, IPS, ThreatAV, etc...)?

Regards

Re: R80.10 Syslog Exporter

Yonatan_Philip — Thu, 22 Mar 2018 17:46:34 GMT

Hello Antonio,

We plan to address this gap in a future release.

I don't have any information about what exactly the next release will contain nor when it will be released.

I've created a log exporter guide in another post that covers this and many other questions.

You can find it at Log Exporter guide.

I hope you'll find it helpful.

Regards,

Yonatan

Re: R80.10 Syslog Exporter

Hugo_vd_Kooij — Tue, 03 Apr 2018 12:08:19 GMT

It sounded too good.

On my lab R80.10 with T91 it fails towork as it seems to get in a pickle about permissions.

This showed up in /opt/CPrt-R80/log_exporter/targets/SYSLOG/log/log_indexer.elg:

[log_indexer 27834 4139846544]@fwmgmt[3 Apr 14:03:10] SyslogUDPSender::sendPacket - failed to send packet: <30>Tue Apr 3 14:03:10 CheckPoint Syslog started

[log_indexer 27834 4129356688]@fwmgmt[3 Apr 14:03:10] SyslogUDPSender::connec - failed to send initial message with handler to [loghost(-1):514]

I initiated this with:

[log_indexer 27834 4139846544]@fwmgmt[3 Apr 14:03:10] SyslogUDPSender::sendPacket - failed to send packet: <30>Tue Apr 3 14:03:10 CheckPoint Syslog started

[log_indexer 27834 4129356688]@fwmgmt[3 Apr 14:03:10] SyslogUDPSender::connec - failed to send initial message with handler to [loghost(-1):514]

The host loghost is known as object and it is present in /etc/hosts

Other syslog traffic from GAIA works without a problem. ..... (come to think of this. Might this be the issue?)

Re: R80.10 Syslog Exporter

Yonatan_Philip — Tue, 03 Apr 2018 14:21:42 GMT

Hello Hugo,

This is a known issue that stems from an attempt to improve the interface (an attempt which sadly backfired...).
The original parameter name was 'target-ip'. It was changed based on customer feedback to 'target-server', but the backend stayed the same - expecting an IP-address.

Add to this the fact that we didn't implement a verification mechanism on the input (to make sure it's a valid IP address) and we have a bug.

We already have a task for this and it will be addressed in the next release.

For now, the simple fix is to use an IP-address for the 'target-server' parameter.

Hope this helps,

Yonatan

Re: R80.10 Syslog Exporter

rmsource_dotcom — Thu, 12 Apr 2018 13:55:42 GMT

Have you also discussed this with AlienVault? You still have a partnership with them, yes?