Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
roby198
Participant

Logs from Infinity Portal to Splunk

Hi.

I need to feed SPLUNK with logs from Infinity Portal.

I read that with Infinity Portal all logs and security events are stored in the Infinity Portal’s cloud-native as datalake in cloud.

It can forwarding events, as said in the doc, as "...an easy and secure procedure to export Infinity Portal data over the Syslog protocol. You can forward logs, events, and saved application data from your Check Point Infinity Portal account to a
SIEM (Security Information and Event Management) provider, such as Splunk, QRadar, or ArcSight".

In my case I want to send these event to a Splunk ES (SaaS cloud)

Questions:

  1. How Can i choice the format of the log since there are different log format vendor SIEM as CEF, LEEF, maybe json for SPLUNK ?
  2. If there is a solution for the point 1 do i need to set up a Splunk Forwarder (Splunk syslog server) to collect these logs from Infinity Portal and then send them to a Splunk Enterprise Security SAAS ?
  3. Do the the Infinity Portal implement (transparently) the CheckPoint Log EXPORTER sw module on its components?

Thank you

Roby

 

 

 

0 Kudos
9 Replies
PhoneBoy
Admin
Admin

Log Exporter runs on the Check Point management, not gateways.
In any case, it should be possible to set this up with Splunk, but only syslog format is supported per: https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Infinity-Portal-Admin-Guide/C... 
Which suggest you might need a Splunk syslog server.
Believe this can be confirmed through TAC: https://help.checkpoint.com 

0 Kudos
roby198
Participant

Hi,

The point 3 question "Do the the Infinity Portal implement (transparently) the CheckPoint Log EXPORTER sw module on its components" it is : the LOG EXPORTER is implemented on management.

And , could the management be on a customer on-premise and the logs flow to Infinity Portal datalake in cloud? correct?

About point 1, I believed that the syslog protocol already transported the information in the various proprietary SIEM formats.

About point 2,  I need Splunk Forwarder.

Thanks

 

0 Kudos
the_rock
Legend
Legend

Point 3, correct.

Point 1, yes, that is the case.

Point 2, not 100% sure, but you may want to confirm with TAC.

Example I gave you was that my colleague and I had TAC set up cp log export so logs from S1C (smart 1 cloud) would go to SIEM.

Andy

0 Kudos
PhoneBoy
Admin
Admin

Log Exporter runs on your Check Point management/log server.
If you're using Smart-1 Cloud or other services via Infinity Portal, this is where Log Exporter functionality is implemented.
If you want to include events from your on-prem managed services in Infinity Portal, this can be done with Horizon Events.

0 Kudos
the_rock
Legend
Legend

My colleague and I did this for the customer couple of years back, will see if I can find the link about it here and send it over.

Andy

0 Kudos
roby198
Participant

Thank you Andy

0 Kudos
the_rock
Legend
Legend

I believe this should help. Sorry for the delay, was out running, but I sure aint Haile Gebrselassie 🤣🤣

Andy

https://community.checkpoint.com/t5/Management/Log-exporter-amp-Splunk-TLS/m-p/126164#M27609

0 Kudos
(1)
roby198
Participant

Hi Andy , thank you so much, I'll follow the instructions in the link and i'll try it. 

Roby

0 Kudos
the_rock
Legend
Legend

No worries mate. I sure hope it works.

If any issues, let us know. Well, let us know the outcome either way : - )

Andy

0 Kudos
(1)
Upcoming Events

    CheckMates Events