cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

ArcSight Parser R80.10 & R80

Hi,

I have a question regarding collecting logs from Check Point to ArcSight (SIEM) for version R80 and R80.10.

The LEA connection doesn't work very well anymore, also the workaround to degrade the certificate to SHA1 and than configure the connection doesn't always work because the CRL is signed with SHA2.

We now use CPlogtoSyslog for R80 and R80.10. unfortunately there is no parser to correct interpret the log files. So we wrote a custom parser for R80 but in R80.10 the log format is completely changed again.

I can't imagine that there is no one else with this problem. Does anyone have a parser or a other smart solution to tackle this problem?

Please let me know!

Best Regards,

Maarten Lutterman

Labels (1)
0 Kudos
18 Replies
Highlighted
Vladimir
Pearl

Re: ArcSight Parser R80.10 & R80

I think that Check Point should designate some internal resources to creation of parsers for dominant SIEM systems.

Same situation is encountered with Alert Logic. They are parsing Windows and Cisco logs using pre-built parsers but CPlog to Syslog output is, for the moment, a raw text.

Since there was a mention of native Syslog support coming back in later releases, (it was only briefly supported in R77.30), that pretty much means that the format will change again.

This situation is causing some frustration with clients that are increasingly required to utilize SIEM services.

0 Kudos

Re: ArcSight Parser R80.10 & R80

ArcSight also has a syslog connector (see ArcSight Connectors Check Point syslog Integration Guide). Might be worth trying. It isn't clear to me from the integration guide that they support receiving syslog from the management server via the CPLogToSyslog hotfix (sk115392), but imagine it is supported. They do mention the other option of receiving syslog from the gateways (sk87560) which currently isn't an option in R80.10.

0 Kudos

Re: ArcSight Parser R80.10 & R80

Hi Bob,

The integration guide you mentioned is for the syslog support https://community.checkpoint.com/people/highe19f56cc9-7e21-4ec2-8189-286599ead4d8‌ mentioned. This is not supported anymore in R80 and R80.10. The syslog format from CPLogToSyslog is different from the briefly supported one in R77.30. That's the problem because the format from R80 and R80.10 even differ.

Thx anyway for the suggestion!

0 Kudos
Employee+
Employee+

Re: ArcSight Parser R80.10 & R80

Hello,

Can you please describe what the current issue you have with LEA?

What kind of parsers are you looking for in CPLogToSyslog?

Thanks!

Dan.

0 Kudos

Re: ArcSight Parser R80.10 & R80

Hi Dan,

The issue we have is that the CRL certificate that is used by the Check Point is signed with SHA256. We followed the procedure to set the signing hash to SHA1 with cpca_client set_sign_hash sha1 before we create the opsec object and afterwords change it back to SHA256 but the CRL is still signed with a SHA256 algorithm and the Connector software from ArcSight breaks on that.

We tried several things in order to get it working without succes.

We use ArcSight as our SIEM platform and we are looking for a FlexConnector (parser) to convert the CPLogToSyslog format to CEF format (Commen Event Format) so the logging is correctly interpret by the ArcSight ESM.

Thanks!

Maarten.

0 Kudos
Employee+
Employee+

Re: ArcSight Parser R80.10 & R80

Hey Maarten,

Arcsight published the new smart connector for checkpoint syslog few weeks ago.

SmartConnector for Check Point Syslog - Micro Focus SW Community 

for this update, we worked together with them to map all the fields of Threat Prevention into Arcsight mapping (based on CEF ofcorse).

is that what you are looking for?

Thanks,

Oren

0 Kudos

Re: ArcSight Parser R80.10 & R80

HI Oren,

That is the one mentioned earlier, this is for the R77.30 add-on syslog. In R80 you have to use CPLogToSyslog in order to sent it as syslog, there is no option to create a syslog object under Servers and OPSEC Applications in R80 or R80.10. The Syslog format from CPLogToSyslog is different so this connector update is not working correctly. We already tried it.

Thx

Maarten.

0 Kudos

Re: ArcSight Parser R80.10 & R80

Internally someone has reported success using LEA via sk109618 with ArcSite and R80. May be missing something, but wouldn't give up on this route instead of using the sylog options. After you've set the CA to sha1 via "cpca_client set_sign_hash sha1" and deleted and recreated the OPSEC app expect you will see the cert is SHA1.

hth,

bob

0 Kudos

Re: ArcSight Parser R80.10 & R80

True I know that fix but the CRL is still signed with Sha256 so we still got an error. We are now running a EA of LogExporter that sends logs on syslog CEF format so you don't need a parser anymore. will keep you guys updated.

0 Kudos

Re: ArcSight Parser R80.10 & R80

Dear All,

I am facing this issue with Checkpoint Mgmt server R80.10 sending Logs to ArcSight SIEM.

I have installed Hotfix for R80.10 Check_Point_CPLogToSyslog_R80.10_GA_jhf_T42_FULL.tgz in the Management server.

Now I could see the Raw firewall logs in ArcSight, but not the Event kind of format.

I could neither see any more config changes specifically for getting Common Event format (as we used to get in Older R77.30 with Syslog Object) nor mentioned anywhere that CPLogToSyslog will support Event format visibility in ArcSight.

Is there any suggestions please let us know.

Regards, N.Prabulingam

0 Kudos

Re: ArcSight Parser R80.10 & R80

https://community.checkpoint.com/people/prabh7cfac945-8b6e-49fd-8c77-fde691b417b1‌ I'm currently in discussion with R&D from Check Point we are working on a solution. Will keep you guys posted!

0 Kudos

Re: ArcSight Parser R80.10 & R80

Great Maarten. Thanks for quick response, will await further from your end..

Regards, N.Prabulingam

0 Kudos

Re: ArcSight Parser R80.10 & R80

Hello,

Please could you advice if you have any advance in this?

Regards,

Andrés Muñoz

0 Kudos

Re: ArcSight Parser R80.10 & R80

Dear All,

My issue solved.

Now I could get CPToSyslog HF used in R80.10 Mgmt server to send logs towards ArcSight connector and they upgraded their Connector with Parser so that CEF format logs were received. instead of Raw Logs.

Regards, Prabulingam.N

0 Kudos

Re: ArcSight Parser R80.10 & R80

Hi Prabulingam N

But the mapping isn't correct right? next week Check Point is coming over to install an EA hotfix in order to export the CP logging in CEF format with the correct mappings.

How does your setup look like? which version of connector software do you use(windows/linux)?

Regards,

Maarten

0 Kudos

Re: ArcSight Parser R80.10 & R80

Dear Maarten,

My customer setup was ArcSight connector in Windows. They said that by upgrading latest ArcSight SmartConnector Firmware, they could use parser to convert the Raw logs into CEF.

So from CheckPoint side - I had installed CPLogToSyslog HF and followed the "local.cplogtosyslog_policy.C"  file to enter ArcSight's IP address. Thats it.

FYI - I could see that from Checkpoint side as well we can create Parser- sk55020 - I never tried this.


Regards, Prabulingam.N

0 Kudos

Re: ArcSight Parser R80.10 & R80

we have running the LogExporter and the logging is send in Syslog CEF format. you can adjust your mapping file in Arcsight and it works great! 10x times easier than LEA or CPlogToSyslog.

Don't know when it will be GA but don't think is going to take very long any more

0 Kudos
Employee+
Employee+

Re: ArcSight Parser R80.10 & R80

Hello,

I just wanted to update this post and say that the tool is now GA and you can find all relevant details in Logs Exporter - Check Point Logs Export.

 

Regards,

 Yonatan