Re: Logs from Infinity Portal to Splunk

roby198 · ‎2023-09-22

Hi.

I need to feed SPLUNK with logs from Infinity Portal.

I read that with Infinity Portal all logs and security events are stored in the Infinity Portal’s cloud-native as datalake in cloud.

It can forwarding events, as said in the doc, as "...an easy and secure procedure to export Infinity Portal data over the Syslog protocol. You can forward logs, events, and saved application data from your Check Point Infinity Portal account to a
SIEM (Security Information and Event Management) provider, such as Splunk, QRadar, or ArcSight".

In my case I want to send these event to a Splunk ES (SaaS cloud)

Questions:

How Can i choice the format of the log since there are different log format vendor SIEM as CEF, LEEF, maybe json for SPLUNK ?
If there is a solution for the point 1 do i need to set up a Splunk Forwarder (Splunk syslog server) to collect these logs from Infinity Portal and then send them to a Splunk Enterprise Security SAAS ?
Do the the Infinity Portal implement (transparently) the CheckPoint Log EXPORTER sw module on its components?

Thank you

Roby

PhoneBoy · ‎2023-09-22

Log Exporter runs on the Check Point management, not gateways.
In any case, it should be possible to set this up with Splunk, but only syslog format is supported per: https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Infinity-Portal-Admin-Guide/C...
Which suggest you might need a Splunk syslog server.
Believe this can be confirmed through TAC: https://help.checkpoint.com

roby198 · ‎2023-09-23

Hi,

The point 3 question "Do the the Infinity Portal implement (transparently) the CheckPoint Log EXPORTER sw module on its components" it is : the LOG EXPORTER is implemented on management.

And , could the management be on a customer on-premise and the logs flow to Infinity Portal datalake in cloud? correct?

About point 1, I believed that the syslog protocol already transported the information in the various proprietary SIEM formats.

About point 2, I need Splunk Forwarder.

Thanks

the_rock · ‎2023-09-23

Point 3, correct.

Point 1, yes, that is the case.

Point 2, not 100% sure, but you may want to confirm with TAC.

Example I gave you was that my colleague and I had TAC set up cp log export so logs from S1C (smart 1 cloud) would go to SIEM.

Andy

PhoneBoy · ‎2023-09-25

Log Exporter runs on your Check Point management/log server.
If you're using Smart-1 Cloud or other services via Infinity Portal, this is where Log Exporter functionality is implemented.
If you want to include events from your on-prem managed services in Infinity Portal, this can be done with Horizon Events.

the_rock · ‎2023-09-23

My colleague and I did this for the customer couple of years back, will see if I can find the link about it here and send it over.

Andy

roby198 · ‎2023-09-23

Thank you Andy

the_rock · ‎2023-09-23

I believe this should help. Sorry for the delay, was out running, but I sure aint Haile Gebrselassie 🤣🤣

Andy

https://community.checkpoint.com/t5/Management/Log-exporter-amp-Splunk-TLS/m-p/126164#M27609

roby198 · ‎2023-09-25

Hi Andy , thank you so much, I'll follow the instructions in the link and i'll try it.

Roby

the_rock · ‎2023-09-25

No worries mate. I sure hope it works.

If any issues, let us know. Well, let us know the outcome either way : - )

Andy

Are you a member of CheckMates?

Logs from Infinity Portal to Splunk