- Local User Groups
I have a question regarding collecting logs from Check Point to ArcSight (SIEM) for version R80 and R80.10.
The LEA connection doesn't work very well anymore, also the workaround to degrade the certificate to SHA1 and than configure the connection doesn't always work because the CRL is signed with SHA2.
We now use CPlogtoSyslog for R80 and R80.10. unfortunately there is no parser to correct interpret the log files. So we wrote a custom parser for R80 but in R80.10 the log format is completely changed again.
I can't imagine that there is no one else with this problem. Does anyone have a parser or a other smart solution to tackle this problem?
Please let me know!
I think that Check Point should designate some internal resources to creation of parsers for dominant SIEM systems.
Same situation is encountered with Alert Logic. They are parsing Windows and Cisco logs using pre-built parsers but CPlog to Syslog output is, for the moment, a raw text.
Since there was a mention of native Syslog support coming back in later releases, (it was only briefly supported in R77.30), that pretty much means that the format will change again.
This situation is causing some frustration with clients that are increasingly required to utilize SIEM services.
ArcSight also has a syslog connector (see ArcSight Connectors Check Point syslog Integration Guide). Might be worth trying. It isn't clear to me from the integration guide that they support receiving syslog from the management server via the CPLogToSyslog hotfix (sk115392), but imagine it is supported. They do mention the other option of receiving syslog from the gateways (sk87560) which currently isn't an option in R80.10.
The integration guide you mentioned is for the syslog support https://community.checkpoint.com/people/highe19f56cc9-7e21-4ec2-8189-286599ead4d8 mentioned. This is not supported anymore in R80 and R80.10. The syslog format from CPLogToSyslog is different from the briefly supported one in R77.30. That's the problem because the format from R80 and R80.10 even differ.
Thx anyway for the suggestion!
The issue we have is that the CRL certificate that is used by the Check Point is signed with SHA256. We followed the procedure to set the signing hash to SHA1 with cpca_client set_sign_hash sha1 before we create the opsec object and afterwords change it back to SHA256 but the CRL is still signed with a SHA256 algorithm and the Connector software from ArcSight breaks on that.
We tried several things in order to get it working without succes.
We use ArcSight as our SIEM platform and we are looking for a FlexConnector (parser) to convert the CPLogToSyslog format to CEF format (Commen Event Format) so the logging is correctly interpret by the ArcSight ESM.
Arcsight published the new smart connector for checkpoint syslog few weeks ago.
for this update, we worked together with them to map all the fields of Threat Prevention into Arcsight mapping (based on CEF ofcorse).
is that what you are looking for?
That is the one mentioned earlier, this is for the R77.30 add-on syslog. In R80 you have to use CPLogToSyslog in order to sent it as syslog, there is no option to create a syslog object underin R80 or R80.10. The Syslog format from CPLogToSyslog is different so this connector update is not working correctly. We already tried it.
Internally someone has reported success using LEA via sk109618 with ArcSite and R80. May be missing something, but wouldn't give up on this route instead of using the sylog options. After you've set the CA to sha1 via "cpca_client set_sign_hash sha1" and deleted and recreated the OPSEC app expect you will see the cert is SHA1.
True I know that fix but the CRL is still signed with Sha256 so we still got an error. We are now running a EA of LogExporter that sends logs on syslog CEF format so you don't need a parser anymore. will keep you guys updated.
I am facing this issue with Checkpoint Mgmt server R80.10 sending Logs to ArcSight SIEM.
I have installed Hotfix for R80.10 Check_Point_CPLogToSyslog_R80.10_GA_jhf_T42_FULL.tgz in the Management server.
Now I could see the Raw firewall logs in ArcSight, but not the Event kind of format.
I could neither see any more config changes specifically for getting Common Event format (as we used to get in Older R77.30 with Syslog Object) nor mentioned anywhere that CPLogToSyslog will support Event format visibility in ArcSight.
Is there any suggestions please let us know.
My issue solved.
Now I could get CPToSyslog HF used in R80.10 Mgmt server to send logs towards ArcSight connector and they upgraded their Connector with Parser so that CEF format logs were received. instead of Raw Logs.
But the mapping isn't correct right? next week Check Point is coming over to install an EA hotfix in order to export the CP logging in CEF format with the correct mappings.
How does your setup look like? which version of connector software do you use(windows/linux)?
My customer setup was ArcSight connector in Windows. They said that by upgrading latest ArcSight SmartConnector Firmware, they could use parser to convert the Raw logs into CEF.
So from CheckPoint side - I had installed CPLogToSyslog HF and followed the "local.cplogtosyslog_policy.C" file to enter ArcSight's IP address. Thats it.
FYI - I could see that from Checkpoint side as well we can create Parser- sk55020 - I never tried this.
we have running the LogExporter and the logging is send in Syslog CEF format. you can adjust your mapping file in Arcsight and it works great! 10x times easier than LEA or CPlogToSyslog.
Don't know when it will be GA but don't think is going to take very long any more