cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

CheckPoint R80.20 Management- Qradar Integration- Unknown Events (LEEF)

Hello  folks

 

I am using R80.20 Management server to manage gateways and sending logs to QRADAR using syslog via leef format. QRADAR throws connections from gateways as unknown event /unkown firewall event. 

I am specifically looking for source,destination and destination port on QRADAR for the logs which were sent from management server. 

Does anyone face similar issue ? What format is the best practice to use so that QRADAR recognizes events from logs sent by checkpoint management server ? 

 

QRADAR version: v7.3.2

 

Configuration on management server using log exporter to send logs to QRADAR

name: USECHKMGMT

     enabled: true

     target-server: QRADAR IP

     target-port: 514

     protocol: tcp

     format: leef

     read-mode: raw

 

QRADAR config: 

 

Log Source Type               Check Point

Protocol Configuration 

Log Source Identifier     

Management server ip

Enabled               

Credibility           

Target Event Collector   

Coalescing Events           

Incoming Payload Encoding

 

QRADAR unable to identify the log type on leef method. I have tried syslog, cef and generic format as well but all results are same. 

Qradar log : tempsnip.png

LEEF:2.0|Check Point|VPN-1 & FireWall-1|1.0|Drop|cat=Drop	devTime=1569285537	srcPort=63030	ifdir=inbound	ifname=WAN	loguid={0x5d8966c2,0x0,0xe5141fac,0x3fffaeca}	origin=10.69.42.13	version=1	dst=239.255.255.250	inzone=External	origin_sic_name=CN\=US-FRID-FW-1,O\=usechkmgmt..g553k9	product=VPN-1 & FireWall-1	proto=17	rule=5	rule_name=Cleanup rule	rule_uid={F700F5BC-5D35-4496-A868-C42E4E080F1B}	service=1900	src=10.69.42.58	

 

0 Kudos
3 Replies
Admin
Admin

Re: CheckPoint R80.20 Management- Qradar Integration- Unknown Events (LEEF)

0 Kudos
Highlighted
Employee
Employee

Re: CheckPoint R80.20 Management- Qradar Integration- Unknown Events (LEEF)

Hi,

There currently an effort for validating log exporter's LEEF format with IBM.

The effort is being done by both Check Point and IBM developers and is very close to the end.

 

The instructions provided by IBM are the temporary changes that showed progress in Qradar parsers but are not the final changes.

Thanks.

Admin
Admin

Re: CheckPoint R80.20 Management- Qradar Integration- Unknown Events (LEEF)

Thanks for clarifying, wasn't 100% sure of the state of our integration with QRadar.
0 Kudos