Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Silver

CheckPoint and ArcSight integration

We implemented CheckPoint and ArcSight integration (via OPSEC server, clear connection).

What logs will be sent to ArcSight? For example, we try to log in via Endpoint Security VPN. In CheckPoint logs we see log in and log out events, but in ArcSight we see only log out events.

Why?

Labels (1)
12 Replies
Highlighted
Pearl

Please specify the version of Check Point management server that the ArcSight is retrieving data from.

Additionally, please indicate if you are looking at the parsed or raw data on ArcSight and if any of the fields in the messages on ArcSight contain ***Confidential*** in them.

0 Kudos
Highlighted
Silver

CheckPoint management server version: R77.30.03.

We had ***Confidential*** fields, but we apply recommendations for clear connection between CP and ArcSight, which help to show these fields.

0 Kudos
Highlighted
Pearl

Did you follow this Arcsight LEA client shows the username field as "Confidential" sk to display user names?

0 Kudos
Highlighted
Silver

No, we used sk101570, item 3.

Highlighted

Hi Olga

Did the work on item 3 fixed the issue for you, we have the same issue, where we use ArcSight clear connection (without OPSEC object defined), on SmartEvent R80.10

Following parameter shows as 1 after the given chage, but still I get the ***Confidential***, anything else did you do or just changing the parameters

echo $LEA_CLEAR_DISABLE_CONFIDENTIALITY 

1

0 Kudos
Highlighted

Hi,

We are in a planning phase to implement smart-1 with SIEM, can you pls provide with implementation steps or procedure on how to do it?

0 Kudos

Actually we are running an EA version of logexporter. This is a hotfix so you can send the logs already in CEF format to Arcsight. this wil output all logging you can configure yourself what logging you want to receive.

Don't know when the GA is available but think it will be soon.

best regards,

Maarten Lutterman

Highlighted
Admin
Admin

I believe this is part of the LogOut project (discussed here previously).

That said, if you want in on the Early Availability testing, please send me a Private Message.

0 Kudos
Highlighted
Silver

Dameon,

Thanks for your proposal.

I think we will wait for this logexporter to be tested by the CheckPoint team and officially released.

0 Kudos
Highlighted
Employee+
Employee+

Hi, the Log Exporter tool is now official GA and more details can be found in sk122323

Highlighted

Hi, is Log Exporter the same thing as LogOut? 

0 Kudos
Highlighted
Admin
Admin

Yes, LogOut was the Internal name of the project that produced the Log Exporter utility.