This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
farisarch
Explorer
‎2025-08-06 12:53 AM

Difference on Harmony Endpoint Log Exporter vs Event Forwarding

Hello all,

Our team is currently building an in house SOC and utilizing events generated by Harmony Endpoint to feed the SIEM.

From what we have tested, there are two ways to send event logs from Harmony Endpoint to our SIEM which are:

1. Infinity Portal Event Forwarding

2. Harmony Endpoint Export Events or Log Exporter.

I've tried finding information on the difference of these two but there aren't many.

One that I notice is that Event Forwarding requires mTLS to be configured or you can't proceed, and there are no port restrictions during the configuration.

Log exporter has options whether to sent over port 514 or encrypted port 6514.

Other than that Event forwarding has options to create rules to forward services based on your needs.

Thank you in advance.

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2025-08-11 06:51 AM

The main difference, at least from what I can see in the docs, is what data is forwarded (all services managed via Infinity Portal versus just the stuff for Harmony Endpoint).
Note that both of these features require a license (based on log volume).

0 Kudos
farisarch
Explorer
a month ago
In response to PhoneBoy

Yep, that is one of the main difference I noticed early on, though one thing we noticed is that there is a bit of format difference and naming convention from both but not all fields. There is also a big one we noticed where there is a long delay for forwarding logs to our syslog server for Event Forwarding. The first related log appeared on the Infinity Portal on 10:55:25 am yet Event Forwarding seems to have a delay in forwarding sometimes up to 15 minutes. Not sure if it's a region thing or intended behavior.

Top one is event forwarding, the other one is from log exporter

Aug  7 11:05:53 20.73.193.110 1 2025-08-07T03:05:04.07Z Checkpoint eventforwarding-ac9290f2-f72f-4a1d-b6af-1244619f7a23 1650 - - {"time":"2025-08-07 02:56:10","id":"a4640108-dc71-f638-6894-161300000002","orig":"164.100.1.8","sequencenum":1,"action":"Prevent","i_f_dir":"inbound","policy_date":"2025-07-22T03:18:50Z","severity_int":3,"confidence_level_int":0,"protection_type":"URL Filtering","advanced_info":"\"exclusions\":[{\"exclusion_engine_type\":\"URL Filtering exclusions\",\"exclusion_type\":\"Domain\",\"exclusion_value\":{\"default_value\":\"www.yarenhost.com\",\"md5\":\"\",\"original_name\":\"\",\"signer\":\"\",\"process\":\"\",\"protection\":\"\",\"comment\":\"\"}}]","app_id":"0","app_properties":["Phishing, Low Risk"],"app_rule_id":" ","app_rule_name":" ","appi_name":"www.yarenhost.com","client_name":"Check Point Endpoint Security Client","client_version":["89.00.0430"],"description":"To exclude: Open the Harmony Management -> POLICY -> Threat Prevention -> EXCLUSION CENTER -> Web and Files Protection -> URL Filtering exclusions -> + -> paste this: www.yarenhost.com","dst":"0.0.0.0","event_type":"URLF Info Event","host_type":["Desktop"],"installed_products":"Firewall; Compliance; Application Control; Anti-Malware; VPN; Anti-Bot; Forensics; Threat Emulation","local_time":1754564170,"machine_guid":" ","matched_category":"Phishing","os_name":["Microsoft Windows 10 Home"],"os_version":["10.0-19045-SP0.0-SP"],"policy_name":"Default Anti-Bot settings","policy_number":3,"process_exe_path":"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe","product":"URL Filtering","product_family":"Endpoint","protection_name":"gen.urlf","reason":" ","resource":["https://www.yarenhost.com/"],"src":"192.168.237.165","src_machine_name":"DESKTOP-LDO9MC8","src_user_name":["fais"],"tenant_id":"REDACTED","user_name":" ","user_sid":"S-1-5-21-1451181116-1303984464-599200800-1001","usercheck_incident_uid":"3690ac7d","web_client_type":["Edge"],"domain":"SMC User","orig_log_server":"12c7035e-2b86-a94c-adcf-651a16d773de","orig_log_server_ip":"164.100.1.8","trimTime":"2025-08-07 02:56:00","trimHour":"2025-08-07 02:00:00","trimDate":"2025-08-07 00:00:00","hourOfDay":2,"severity":"High","confidence_level":"N/A","type":"Log","dedup_time":"2025-08-07 02:56:10.000001","__id":"2025-08-07 02:56:10_2025-08-07 02:56:10.000001"}
Aug  7 10:57:04 52.210.248.134 1 2025-08-07T02:55:25Z i-0788aba73fdeed2a7 CheckPoint 31993 - [action:"Prevent"; flags:"131072"; ifdir:"inbound"; loguid:"{0x689415eb,0x0,0x80164a4,0x3e807cf9}"; origin:"164.100.1.8"; sequencenum:"1"; time:"1754535325"; version:"5"; __policy_id_tag:" "; advanced_info:"{\"exclusions\":[{\"exclusion_engine_type\":\"URL Filtering exclusions\",\"exclusion_type\":\"Domain\",\"exclusion_value\":{\"default_value\":\"www.yarenhost.com\",\"md5\":\"\",\"original_name\":\"\",\"signer\":\"\",\"process\":\"\",\"protection\":\"\",\"comment\":\"\"}}\]}"; app_id:"0"; app_properties:"Phishing, High Risk"; app_rule_id:" "; app_rule_name:" "; appi_name:"www.yarenhost.com"; client_name:"Check Point Endpoint Security Client"; client_version:"89.00.0430"; confidence_level:"N/A"; description:"To exclude: Open the Harmony Management -> POLICY -> Threat Prevention -> EXCLUSION CENTER -> Web and Files Protection -> URL Filtering exclusions -> + -> paste this: www.yarenhost.com"; dst:"0.0.0.0"; event_type:"URLF Info Event"; host_type:"Desktop"; installed_products:"Firewall; Compliance; Application Control; Anti-Malware; VPN; Anti-Bot; Forensics; Threat Emulation"; local_time:"1754564125"; machine_guid:" "; matched_category:"Phishing,High Risk"; os_name:"Microsoft Windows 10 Home"; os_version:"10.0-19045-SP0.0-SP"; policy_date:"1753154330"; policy_name:"Default Anti-Bot settings"; policy_number:"3"; process_exe_path:"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe"; product:"URL Filtering"; product_family:"Endpoint"; protection_name:"gen.urlf"; protection_type:"URL Filtering"; reason:" "; resource:"https://www.yarenhost.com/"; severity:"3"; src:"192.168.237.165"; src_machine_name:"DESKTOP-LDO9MC8"; src_user_name:"fais"; tenant_id:"REDACTED"; user_name:" "; user_sid:"S-1-5-21-1451181116-1303984464-599200800-1001"; usercheck_incident_uid:"b694ea32"; web_client_type:"Edge"]​

 

0 Kudos
PhoneBoy
Admin
Admin
a month ago
In response to farisarch

If "events" are being sent, I imagine some time might be needed to ensure all data for that event is correlated, thus the delay.
It might also explain some differences in the logging.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events