This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
roby198
Explorer
‎2023-09-22 11:04 AM

Logs from Infinity Portal to Splunk

Hi.

I need to feed SPLUNK with logs from Infinity Portal.

I read that with Infinity Portal all logs and security events are stored in the Infinity Portal’s cloud-native as datalake in cloud.

It can forwarding events, as said in the doc, as "...an easy and secure procedure to export Infinity Portal data over the Syslog protocol. You can forward logs, events, and saved application data from your Check Point Infinity Portal account to a
SIEM (Security Information and Event Management) provider, such as Splunk, QRadar, or ArcSight".

In my case I want to send these event to a Splunk ES (SaaS cloud)

Questions:

  1. How Can i choice the format of the log since there are different log format vendor SIEM as CEF, LEEF, maybe json for SPLUNK ?
  2. If there is a solution for the point 1 do i need to set up a Splunk Forwarder (Splunk syslog server) to collect these logs from Infinity Portal and then send them to a Splunk Enterprise Security SAAS ?
  3. Do the the Infinity Portal implement (transparently) the CheckPoint Log EXPORTER sw module on its components?

Thank you

Roby

 

 

 

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2023-09-22 03:58 PM

Log Exporter runs on the Check Point management, not gateways.
In any case, it should be possible to set this up with Splunk, but only syslog format is supported per: https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Infinity-Portal-Admin-Guide/C... 
Which suggest you might need a Splunk syslog server.
Believe this can be confirmed through TAC: https://help.checkpoint.com 

0 Kudos
roby198
Explorer
‎2023-09-23 11:45 AM
In response to PhoneBoy

Hi,

The point 3 question "Do the the Infinity Portal implement (transparently) the CheckPoint Log EXPORTER sw module on its components" it is : the LOG EXPORTER is implemented on management.

And , could the management be on a customer on-premise and the logs flow to Infinity Portal datalake in cloud? correct?

About point 1, I believed that the syslog protocol already transported the information in the various proprietary SIEM formats.

About point 2,  I need Splunk Forwarder.

Thanks

 

0 Kudos
the_rock
Legend
Legend
‎2023-09-23 11:52 AM
In response to roby198

Point 3, correct.

Point 1, yes, that is the case.

Point 2, not 100% sure, but you may want to confirm with TAC.

Example I gave you was that my colleague and I had TAC set up cp log export so logs from S1C (smart 1 cloud) would go to SIEM.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-25 09:53 AM
In response to roby198

Log Exporter runs on your Check Point management/log server.
If you're using Smart-1 Cloud or other services via Infinity Portal, this is where Log Exporter functionality is implemented.
If you want to include events from your on-prem managed services in Infinity Portal, this can be done with Horizon Events.

0 Kudos
the_rock
Legend
Legend
‎2023-09-23 07:54 AM

My colleague and I did this for the customer couple of years back, will see if I can find the link about it here and send it over.

Andy

0 Kudos
roby198
Explorer
‎2023-09-23 11:29 AM
In response to the_rock

Thank you Andy

0 Kudos
the_rock
Legend
Legend
‎2023-09-23 11:37 AM
In response to roby198

I believe this should help. Sorry for the delay, was out running, but I sure aint Haile Gebrselassie 🤣🤣

Andy

https://community.checkpoint.com/t5/Management/Log-exporter-amp-Splunk-TLS/m-p/126164#M27609

0 Kudos
(1)
roby198
Explorer
‎2023-09-25 12:26 PM
In response to the_rock

Hi Andy , thank you so much, I'll follow the instructions in the link and i'll try it. 

Roby

0 Kudos
the_rock
Legend
Legend
‎2023-09-25 12:28 PM
In response to roby198

No worries mate. I sure hope it works.

If any issues, let us know. Well, let us know the outcome either way : - )

Andy

0 Kudos
(1)
Upcoming Events

    CheckMates Events