Re: Export Logs To LogRhythm using Log Exporter

MIchael_Hovis · ‎2019-05-30

Has anyone used Log Exporter to export logs to LogRhythm? I have a Check Point managment server that is also the log server running R80.20. I've configured Log Exporter and am sending logs to LogRhythm using the CEF format. However, LogRhythm says they cannot parse the logs. Has anyone else run into this problem and found a solution?

Thanks.

Richard_Amos · ‎2019-05-31

We were told by LR support that the only supported method is via OPSEC LEA. They said they are working on Log Exporter support, though no date was given. Very disappointing.

We did successfully get this going with LEA, however the events per second are massive and we don't seem to be getting any Threat Prevention logs. We are currently working on filtering events at the LR collector and will soon be looking into where those TP logs are at. We are not in a good position at the moment with these two products working together.

Another issue to keep an eye on with Log Exporter in general is that with R80.20/30 you cannot filter what is exported. I'm keeping my fingers crossed that this is worked out by the time LR gets around to supporting it.

Tommy_Forrest · ‎2019-05-31

There was a post here a bit ago about log exporter being updated to add filtering capabilities.

SK122323

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Richard_Amos · ‎2019-05-31

I think you are referring to the post announcing initial filtering support. If you look under the Installation section of that same KB it explicitly states filtering for R80.20 & R80.30 is not yet supported.

Lari_Luoma · ‎2020-01-11

Does anyone know if Log Exporter support has been added by LogRhythm? If so, any example log_exporter configs for LogRhythm you could share?

Shay_Hibah · ‎2020-01-15

Hey Lari,

LogRhythm is now supported by Log Exporter.

All you need to do is to download the hotfix package and install it using CPUSE.

The package can be found in SK122323.

Regarding the deployment command, please type:

cp_log_export add name <exporter_name> target-server <logrhythm_server_ip> target-port <port_number> protocol <tcp/udp> format logrhythm read-mode semi-unified

After that, please run:

cp_log_export start name <exporter_name>

Let me know if you have any issues with it,

Shay

Lari_Luoma · ‎2020-01-15

Thanks Shay!

Reuben_W · ‎2020-02-06

Hello Shayhi

We wish to do an Integration of Log Rhythm with r80.40 MGMT, is it directly supported by the new gaia without a hotfix as the is now hotfix for r80.40

Shay_Hibah · ‎2020-02-06

Hi Reuben,

Log Exporter integration with LogRhythm is already part of R80.40 - no hotfix is required.

Shay

jrolim · ‎2020-05-22

Hi @Shay_Hibah ,

And for R80.10, is there any chance of Log Exporter integration with LogRhythm?

I see there are Hotfixes available for this integration with R80.20 and R80.30, but not for R80.10 hence my question.

Thanks and regards,

Joao

Shay_Hibah · ‎2020-05-23

Hi @jrolim

Unfortunately LogRhythm is not supported on R80.10.
From R80.20 our infrastructure was changed and we are able to support LogRhythm as well due to this change.

Shay

Are you a member of CheckMates?

Export Logs To LogRhythm using Log Exporter