cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Olga_Kuts
Silver

CheckPoint and ArcSight integration

We implemented CheckPoint and ArcSight integration (via OPSEC server, clear connection).

What logs will be sent to ArcSight? For example, we try to log in via Endpoint Security VPN. In CheckPoint logs we see log in and log out events, but in ArcSight we see only log out events.

Why?

Labels (1)
12 Replies
Vladimir
Pearl

Re: CheckPoint and ArcSight integration

Please specify the version of Check Point management server that the ArcSight is retrieving data from.

Additionally, please indicate if you are looking at the parsed or raw data on ArcSight and if any of the fields in the messages on ArcSight contain ***Confidential*** in them.

0 Kudos
Olga_Kuts
Silver

Re: CheckPoint and ArcSight integration

CheckPoint management server version: R77.30.03.

We had ***Confidential*** fields, but we apply recommendations for clear connection between CP and ArcSight, which help to show these fields.

0 Kudos
Vladimir
Pearl

Re: CheckPoint and ArcSight integration

Did you follow this Arcsight LEA client shows the username field as "Confidential" sk to display user names?

0 Kudos
Olga_Kuts
Silver

Re: CheckPoint and ArcSight integration

No, we used sk101570, item 3.

0 Kudos

Re: CheckPoint and ArcSight integration

Hi Olga

Did the work on item 3 fixed the issue for you, we have the same issue, where we use ArcSight clear connection (without OPSEC object defined), on SmartEvent R80.10

Following parameter shows as 1 after the given chage, but still I get the ***Confidential***, anything else did you do or just changing the parameters

echo $LEA_CLEAR_DISABLE_CONFIDENTIALITY 

1

0 Kudos

Re: CheckPoint and ArcSight integration

Hi,

We are in a planning phase to implement smart-1 with SIEM, can you pls provide with implementation steps or procedure on how to do it?

0 Kudos

Re: CheckPoint and ArcSight integration

Actually we are running an EA version of logexporter. This is a hotfix so you can send the logs already in CEF format to Arcsight. this wil output all logging you can configure yourself what logging you want to receive.

Don't know when the GA is available but think it will be soon.

best regards,

Maarten Lutterman

Admin
Admin

Re: CheckPoint and ArcSight integration

I believe this is part of the LogOut project (discussed here previously).

That said, if you want in on the Early Availability testing, please send me a Private Message.

0 Kudos
Olga_Kuts
Silver

Re: CheckPoint and ArcSight integration

Dameon,

Thanks for your proposal.

I think we will wait for this logexporter to be tested by the CheckPoint team and officially released.

0 Kudos
Employee+
Employee+

Re: CheckPoint and ArcSight integration

Hi, the Log Exporter tool is now official GA and more details can be found in sk122323

Re: CheckPoint and ArcSight integration

Hi, is Log Exporter the same thing as LogOut? 

0 Kudos
Highlighted
Admin
Admin

Re: CheckPoint and ArcSight integration

Yes, LogOut was the Internal name of the project that produced the Log Exporter utility.