cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

OPSEC lea missing log information

Jump to solution

Ho all,

 

We are using opsec lea to send logs to our SIEM and it is working fine, but we are missing some valuable information in the logs sent this way. For example we don't have the log information for the reason of a block, or the rule that trigger the log. Those logs are visible on the checkpoint interface but apparently opsec lea do not forward them.

Anybody knows if we can forward those information as well ?

I know that we should now use the log exporter instead of opsec lea, but our siem do not support it yet..

 

Thanks !

 

2 Solutions

Accepted Solutions
Employee+
Employee+

Re: OPSEC lea missing log information

Jump to solution

1. Logrytm - we recently released a version of log exporter that support them 

2. w log exporter we export all logs.
Some siem tools can get only leverage limited types of logs (logrythm) but most siem get all logs.
Opsec lea is also generic api and it can integrate all logs and the implementation is dependent on connector (depending on who wrote the connector) 

3. There is no good reason to use opsec lea anymore. Ttbomk log exporter is better in every way (and still like stated above, lea is still supported) 

Re: OPSEC lea missing log information

Jump to solution

Check Point supports the Syslog exporter for SIEM applications for R80.10+ managment.

Which allows an easy and secure method for exporting CP logs over syslog. Exporting can be done in few standard protocols and formats.

Log Exporter supports:

  • Splunk
  • Arcsight
  • RSA
  • LogRhythm
  • QRadar
  • McAfee

Log Exporter is a multi-threaded daemon service, running on a log server. Each log that is written on the log server is read by the log exporter daemon, transformed into the desired format and mapping, and then sent to the end target.

Tags (1)
7 Replies
Admin
Admin

Re: OPSEC lea missing log information

Jump to solution
While I do not know for certain, it could be that the information is forwarded via LEA but your SIEM doesn't process said data.
What SIEM are you using?

While we are not eliminating support for LEA anytime soon, Log Exporter is our preferred mechanism for integrating with SIEMs going forward.
0 Kudos

Re: OPSEC lea missing log information

Jump to solution

Hello,

Thanks for the answer.

I'm using logrhythm, I think  you are right the problem is on the siem side, I found few article where it works for splunk.. I also found that those field like the web filtering are available through opsec lea.

I will continue my researche on the logrhythm side.

Thanks !

0 Kudos
Amir_Rehman
Nickel

Re: OPSEC lea missing log information

Jump to solution

Hi,

I Just wanted to know what logs(blades) are exported to SIEM via LEA opsec. 

I don't seem to get remote vpn logs . I am using FortiSIEM.

Thanks

0 Kudos
Employee+
Employee+

Re: OPSEC lea missing log information

Jump to solution

1. Logrytm - we recently released a version of log exporter that support them 

2. w log exporter we export all logs.
Some siem tools can get only leverage limited types of logs (logrythm) but most siem get all logs.
Opsec lea is also generic api and it can integrate all logs and the implementation is dependent on connector (depending on who wrote the connector) 

3. There is no good reason to use opsec lea anymore. Ttbomk log exporter is better in every way (and still like stated above, lea is still supported) 

Re: OPSEC lea missing log information

Jump to solution

Check Point supports the Syslog exporter for SIEM applications for R80.10+ managment.

Which allows an easy and secure method for exporting CP logs over syslog. Exporting can be done in few standard protocols and formats.

Log Exporter supports:

  • Splunk
  • Arcsight
  • RSA
  • LogRhythm
  • QRadar
  • McAfee

Log Exporter is a multi-threaded daemon service, running on a log server. Each log that is written on the log server is read by the log exporter daemon, transformed into the desired format and mapping, and then sent to the end target.

Tags (1)

Re: OPSEC lea missing log information

Jump to solution

More read here:

R80.10 - Syslog Exporter

Tags (1)
Amir_Rehman
Nickel

Re: OPSEC lea missing log information

Jump to solution

Thank you, however I tried log exporter but I could not get all the logs in FortiSIEM. All i see is firewall logs "deny and accepted connection".

With LEA, I see get more logs in FortSIEM .i.e Identity logging, Firewall accept/deny, policy installation and object modification, Ssh logins to management server, Ips logs etc. But Cannot see remote VPN logs.