@jennyado 

Looks like this link has all the info as well.

Hope it helps.

https://graylog.org/post/syslog-protocol-a-reference-guide/

The syslog server is external to Check Point; the customer is using Splunk.

My question is whether Check Point is sending the logs to that external syslog server in RFC 5424 format or in RFC 3164.

Im 99.99% sure its RFC5424.

Depends on if you're using the method described in the documentation you linked previously (where "BSD" is RFC3164, or "Syslog" is RFC5424) or if you're using Log Exporter, where it's most assuredly RFC5424.

Agreed. Based on what I found online, that would also appear to be the case.

The cp_log_export commands were used to configure this log exporter.

This is the output of the cp_log_export show but it only shows the format. I can't see something about RFC.

name: <NAME> domain-server: : <NAME>
enabled: true
target-server: <IP>
target-port: <port>
protocol: udp
format: syslog
read-mode: semi-unified
export-attachment-ids: false
export-link: false
export-attachment-link: false
time-in-milli: false
export-log-position: false
skip-failed-logs: Not configured, using default
reconnect-interval: Not configured, using default

Hey Jenn,

See if below file helps:

*****************************

[Expert@CP-MANAGEMENT:0]# cd /opt/CPrt-R82/log_
log_consolidator_engine/ log_exporter/ log_indexer/ log_indexes/
[Expert@CP-MANAGEMENT:0]# cd /opt/CPrt-R82/log_exporter/
[Expert@CP-MANAGEMENT:0]# ls
conf log_exporter log_exporter_backup openssl.cnf targets upgrade
[Expert@CP-MANAGEMENT:0]# cd targets/
[Expert@CP-MANAGEMENT:0]# ls
SentinelOne-XDR test-log
[Expert@CP-MANAGEMENT:0]# cd SentinelOne-XDR/
[Expert@CP-MANAGEMENT:0]# ls
conf data fieldsMapping.xml log log_exporter log_indexer_custom_settings.conf targetConfiguration.xml tmp
[Expert@CP-MANAGEMENT:0]# more targetConfiguration.xml
<?xml version="1.0" encoding="utf-8"?>
<export id="targetObjectUID"><!--object uuid!-->
<version>9</version> <!-- Version of this file-->
<is_enabled>true</is_enabled><!--Is the process allowed to run, and start on cpstart-->
<!-- Destination section defines the properties of the export target -->
<destination type="syslog"> <!-- Target output type -->
<ip>172.16.10.108</ip><!--the ip of the syslog server-->
<port>8002</port><!--the port on which the syslog is listening to-->
<protocol>udp</protocol><!--udp/tcp-->
<local_addr_ip></local_addr_ip><!--local address ip-->
<!--the configuration of tls-->
<transport>
<security></security><!--clear/tls-->
<!-- the following section is relevant only if <security> is tls -->
<pem_ca_file></pem_ca_file>
<p12_certificate_file></p12_certificate_file>
<client_certificate_challenge_phrase></client_certificate_challenge_phrase>
</transport>
<reconnect_interval></reconnect_interval><!-- Shedule reconnection to the destination server (empty to disable [defa
ult] | number of minutes) -->
</destination>
<!-- Enrichment configuration, exporting domain server name, orig_log_server uuid and orig_log_server ip -->
<data_enrichment>
<export_domain>false</export_domain>
<export_orig_log_server>false</export_orig_log_server>
</data_enrichment>
<!-- Filter Configuration -->
<dynamicFilter>conf/FilterConfiguration.xml</dynamicFilter>
<!-- Source section defines the properties of the input stream that will be exported -->
<source>
<log_files>1</log_files><!-- <Number> - read logs on-line | read logs from [number] days back (default 1) | specif
ic file name -->
<log_types></log_types><!--all[default]|log|audit/-->
<folder></folder><!--$FWDIR/log[default]|specific path-->
<read_mode>semi-unified</read_mode><!--raw|semi-unified[default]/-->
</source>
<export_log_position>false</export_log_position> <!-- True | False /-->
<export_log_link>false</export_log_link> <!-- True | False /-->
<export_attachment_link>false</export_attachment_link> <!-- True | False /-->
<export_link_ip></export_link_ip> <!-- empty [defaut] | external IP /-->
<export_attachment_ids>false</export_attachment_ids> <!-- True | False /-->
<!-- Format section determines the form (headers and mappings) of the exported logs -->
<format type="syslog"> <!--syslog | cef | rsa | leef | generic | splunk | this parameter may differ from the type o
f destination, for example, destination type = files/format type = CEF -->
<resolver>
<mappingConfiguration></mappingConfiguration><!--if empty the fields are sent as is without renaming-->
<exportAllFields>true</exportAllFields> <!--in case exportAllFields=true - exported element in fieldsMapping.xml
is ignored and fields not from fieldsMapping.xml are exported as notMappedField field-->
</resolver>
<!-- Format header configuration (actual to CEF see ./conf directory) -->
<formatHeaderFile></formatHeaderFile>
</format>
<!-- Time In Milli Seconds -->
<time_in_milli>false</time_in_milli>
<!-- Skip logs incase of failure in sending-->
<skip_failed_logs>false</skip_failed_logs>
<!-- The following section is for future use of log filtering, please do not modify these values -->
<filter filter_out_by_connection="false">
<field name="product">
<value>VPN-1 &amp; FireWall-1</value>
<value>HTTPS Inspection</value>
<value>VPN-1</value>
<value>Security Gateway/Management</value>
<value>Firewall</value>
<value>FG</value>
</field>
<field name="fw_subproduct">
<value>VPN-1 &amp; FireWall-1</value>
<value>HTTPS Inspection</value>
<value>VPN-1</value>
<value>Security Gateway/Management</value>
<value>Firewall</value>
<value>FG</value>
</field>
</filter>

</export>

[Expert@CP-MANAGEMENT:0]#