Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Employee+
Employee+

Log Exporter vs OPSEC LEA

Hello all,

Check Point "Log Exporter" is an easy and secured method for exporting Check Point logs in few standard protocols and formats. It supports many SIEM vendors and it has some advanced features.

The Log Exporter main features and advantages are:

  • Very easy configuration - one command to configure export to any destination
  • Secured protocols 
  • Automatic formatting to many standards - CIM, CEF, Syslog, LEEF and more
  • Ability to configure your own formats
  • Built in support in logs filtering - export just what you need
  • Export links to Forensics and Threat Emulation reports 
  • High exporting rate 
  • Official documentation of all exporter logs fields with explanations
  • Official support by many SIEM vendors
    • Check Point app for Splunk
    • Integration with LogRhythm
    • Integration with ArcSight
    • Integration with QRadar

The Log Exporter is our main exporting tool and all new features will be added to it.

While saying that, I know that many of you are still using the old OPSEC LEA and I would like to understand the reasons for that and if there anything we can do to help you move forward to the log exporter.

Please share your thoughts.

 

Thanks!

Dan.

 

0 Kudos
10 Replies
Highlighted
Silver

Very Interesting that you are listing LogRhythm as an Official Support by them as we have a Customer that has LogRhythm and whilst previously setup a Log Exporter for the 3rd Party that does the LogRhythm then am having to setup an OPSEC LEA for them so that they can work with the logs.

0 Kudos
Highlighted
Employee+
Employee+

You right.
During the last months we are working with LogRhythm team to have official support with the log exporter.
Stay tuned for more information 🙂
0 Kudos
Highlighted

I am currently working to move to Log Exporter instead of OPSEC LEA. I'm hoping Log Exporter provides usable logs within SPLUNK than we are currently getting with OPSEC LEA. I personally find the logs too difficult to read. I rely mostly on Smart Log.

0 Kudos
Highlighted
Employee+
Employee+

Thank you for sharing!
When you say "SmartLog" are you referring to the old product we had in R77.30 or the logging view in R80 platform?

We have great integration between the Log Exporter and Splunk. Just use the splunk format (see SK122323) and deploy the "Check Point app for Splunk" from Splunkbase and you are ready to go.
0 Kudos
Highlighted
Employee+
Employee+

Hi @HeikoAnkenbrand 

Log Exporter can export more than double logs per second than LEA. It is also utilize better the machine resources.

This was tested in Check Point and also in thousands of customers environments that already deployed the Log Exporter.

Highlighted

I'm using R80.20. sorry old habits.
My point is that today OPSEC LEA logs in splunk have too much data crammed together. I would much rather use the "Check Point Logging" than SPLUNK.
So does the new export feature provide better readable logs in SPLUNK?
0 Kudos
Employee+
Employee+

Hey Dave,

If you rather use our Check Point Logs view (new R80.20 SmartLog), why not simply use it, instead of exporting to splunk? (in either method)

What's missing for you?

 

0 Kudos
Highlighted

We are sending logs to SPlunk via LogExporter and we can filter out a lot of not needed informations. We saved around 20-30% on size of each event, which makes our Splunk admins be more happy..
0 Kudos
Highlighted

Hi @Dan_Zada 

Which of the two processes (LEA service or Log Exporter service) is more performance and resource intensive?

Did you test that at Check Point?

I am thinking here of companies with a lot of log traffic and MDM.

Which of the processes are multi core compatible?

 

 

 

 

Tags (1)
0 Kudos
Highlighted

I would say that LEA consume more resources, since it's encrypting those logs, which is not happening with LogExporter, it does only mutual authentication, but logs are not send encrypted.
0 Kudos