topic Re: Syslog exports to Splunk SIEM changed from R81.10 to R81.20 in General Topics

Syslog exports to Splunk SIEM changed from R81.10 to R81.20

Mark_Papworth — Mon, 15 May 2023 21:55:37 GMT

I have configured log exporter to send logs in syslog format to a Splunk SIEM on an R81.10 SMS, which manages 9 security gateways. The Splunk SIEM could detect the hostname of the security gateway which originated the logs in its host field and registered the 9 log sources.

After upgrading to R81.20, the Splunk SIEM sees all logs as originating from the SMS hostname, and can see only one log source. Its host field has the hostname of the SMS and not the hostname of the originating security gateway. The log message includes the SICname of the originating GW, but they would need to re-parse in order to extract it.

Has something changed in the format of log exporter for syslog in R81.20? Or is there a configurable parameter where I can specify the the logs be identified as originating from the security gateway and not the SMS?

Re: Syslog exports to Splunk SIEM changed from R81.10 to R81.20

the_rock — Mon, 15 May 2023 22:07:22 GMT

Funny you mentioned this, cause last week, customer and I were on with TAC troubleshooting something totally unrelated and client mentioned log exporter and they wanted to upgrade mgmt to R81.20 and TAC guy brought this issue up, but I wish I inquired further. Not sure if he only meant this happens if you upgrade mgmt ONLY or gateway as well...sorry mate, I should have asked, but did not.

Now, he did say possible workaround is to simply issue cp_log_export restart command

Not sure how long that would work for though.

Andy

Re: Syslog exports to Splunk SIEM changed from R81.10 to R81.20

Mark_Papworth — Mon, 15 May 2023 22:20:12 GMT

Thanks for your prompt reply Andy.

We upgraded mgmt and all gateways to R81.20 and applied the latest JHF also. I believe we tried restarting log export and it didn't help. Maybe I should reach out to TAC and see if it´s a known issue.

Re: Syslog exports to Splunk SIEM changed from R81.10 to R81.20

PhoneBoy — Mon, 15 May 2023 22:30:58 GMT

I recommend doing so (especially since an upgrade "broke" it): https://help.checkpoint.com

Re: Syslog exports to Splunk SIEM changed from R81.10 to R81.20

the_rock — Mon, 15 May 2023 22:49:18 GMT

I only found below related to log exporter, but not something you would be concerned about. As @PhoneBoy said, open TAC case and they can verify.

Andy

Re: Syslog exports to Splunk SIEM changed from R81.10 to R81.20

Mark_Papworth — Mon, 15 May 2023 23:55:54 GMT

The issue seems to have been solved. We simply changed the cp_log_export format from syslog to splunk!

I presume in R81.20 Checkpoint has improved the compatibility with the splunk format, as this didn't work under R81.10.

At the SIEM end they were using a collector called SC4S which received Checkpoint logs in syslog format and converted them to Splunk.

Now they are able to parse the logs sent in Splunk format without issue, although they are still going through SC4S.

Re: Syslog exports to Splunk SIEM changed from R81.10 to R81.20

the_rock — Mon, 15 May 2023 23:58:58 GMT

I think that might be by default, but you can confirm for sure with TAC.