- Products
- Learn
- Local User Groups
- Partners
- More
What's New in R82.10?
Watch HereWhen the Agents Attack
A Live Look at Agentic Exposure Validation
AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
CheckMates Fest
I have configured log exporter to send logs in syslog format to a Splunk SIEM on an R81.10 SMS, which manages 9 security gateways. The Splunk SIEM could detect the hostname of the security gateway which originated the logs in its host field and registered the 9 log sources.
After upgrading to R81.20, the Splunk SIEM sees all logs as originating from the SMS hostname, and can see only one log source. Its host field has the hostname of the SMS and not the hostname of the originating security gateway. The log message includes the SICname of the originating GW, but they would need to re-parse in order to extract it.
Has something changed in the format of log exporter for syslog in R81.20? Or is there a configurable parameter where I can specify the the logs be identified as originating from the security gateway and not the SMS?
The issue seems to have been solved. We simply changed the cp_log_export format from syslog to splunk!
I presume in R81.20 Checkpoint has improved the compatibility with the splunk format, as this didn't work under R81.10.
At the SIEM end they were using a collector called SC4S which received Checkpoint logs in syslog format and converted them to Splunk.
Now they are able to parse the logs sent in Splunk format without issue, although they are still going through SC4S.
Funny you mentioned this, cause last week, customer and I were on with TAC troubleshooting something totally unrelated and client mentioned log exporter and they wanted to upgrade mgmt to R81.20 and TAC guy brought this issue up, but I wish I inquired further. Not sure if he only meant this happens if you upgrade mgmt ONLY or gateway as well...sorry mate, I should have asked, but did not.
Now, he did say possible workaround is to simply issue cp_log_export restart command
Not sure how long that would work for though.
Andy
Thanks for your prompt reply Andy.
We upgraded mgmt and all gateways to R81.20 and applied the latest JHF also. I believe we tried restarting log export and it didn't help. Maybe I should reach out to TAC and see if it´s a known issue.
I recommend doing so (especially since an upgrade "broke" it): https://help.checkpoint.com
I only found below related to log exporter, but not something you would be concerned about. As @PhoneBoy said, open TAC case and they can verify.
Andy
The issue seems to have been solved. We simply changed the cp_log_export format from syslog to splunk!
I presume in R81.20 Checkpoint has improved the compatibility with the splunk format, as this didn't work under R81.10.
At the SIEM end they were using a collector called SC4S which received Checkpoint logs in syslog format and converted them to Splunk.
Now they are able to parse the logs sent in Splunk format without issue, although they are still going through SC4S.
I think that might be by default, but you can confirm for sure with TAC.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 13 | |
| 12 | |
| 9 | |
| 7 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 3 |
Thu 09 Jul 2026 @ 10:00 AM (CEST)
Schutz souveräner Workloads: Check Point & die AWS European Sovereign CloudThu 09 Jul 2026 @ 11:00 AM (CEST)
The Cloud Architects Series: Check Point Edge Protection SD-WAN & SASEThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY