Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

OPSEC/Lea Connection to QRadar

Jump to solution

I just need a sanity check here.  I have a customer with multiple VSs running on some 21ks.  For reasons too lengthy to go into on this thread they are moving all VSs to physical clusters.  I moved the first VS to a 6800 cluster last weekend.  

The customer has QRadar setup to the customer's CMA with an OPSEC/Lea connection.  They are telling me they are not seeing logs from the new cluster, but still see all of the old logs as they would expect.  All logs are visible in the log server including the new hardware cluster. 

I am fairly certain on this, but this customer is making me doubt myself.  If you have an OPSEC/Lea connection to a log server, there is no way to filter which logs are sent, right? Or which FW logs are sent.  It has to be something on the QRadar side that is filtering I would think.  

Am I mistaking here?  Or is there something that I'm missing which is obvious?


Thanks,
Paul

0 Kudos
1 Solution

Accepted Solutions
Highlighted

Paul,

Hope you are doing fine, best way to prove this is to make a packet capture via tcpdump on your management server filtering by the QRadar sensor and the LEA port used.

By the way, I strongly recommend you to use Log Exporter from Check Point if possible. I've used it a couple of times and it works really well with QRadar.

Regards,

____________
https://www.linkedin.com/in/federicomeiners/

View solution in original post

0 Kudos
7 Replies
Highlighted
Admin
Admin
You're correct, you can't really filter logs with LEA.
0 Kudos
Highlighted
This is what we are going to do. Thanks for your time.
0 Kudos
Highlighted

Paul,

Hope you are doing fine, best way to prove this is to make a packet capture via tcpdump on your management server filtering by the QRadar sensor and the LEA port used.

By the way, I strongly recommend you to use Log Exporter from Check Point if possible. I've used it a couple of times and it works really well with QRadar.

Regards,

____________
https://www.linkedin.com/in/federicomeiners/

View solution in original post

0 Kudos
Highlighted
Federico,
As the OpSec LEA connection is completely encrypted, a capture will not do him much good.

Fully agree on the Log Exporter though
Regards, Maarten
0 Kudos
Highlighted
Thanks for the information Maarten 🙂
I though the packet capture to prove that traffic being properly sent to the SIEM, at the network level.
Maybe the SIEM is refusing connections since it's using another non standard LEA port.
____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
The point was: "They are telling me they are not seeing logs from the new cluster, but still see all of the old logs as they would expect."
So there is traffic accepted...
Regards, Maarten
0 Kudos
Highlighted

Thanks to those that have replied.  We are going to use Log Exporter.  Not sure why QR is not seeing the new physical cluster logs, but at this point it doesn't matter.  Log Exporter is a much better solution.

0 Kudos