Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Lucas_Planchere
Explorer
Jump to solution

OPSEC lea missing log information

Ho all,

 

We are using opsec lea to send logs to our SIEM and it is working fine, but we are missing some valuable information in the logs sent this way. For example we don't have the log information for the reason of a block, or the rule that trigger the log. Those logs are visible on the checkpoint interface but apparently opsec lea do not forward them.

Anybody knows if we can forward those information as well ?

I know that we should now use the log exporter instead of opsec lea, but our siem do not support it yet..

 

Thanks !

 

2 Solutions

Accepted Solutions
Dorit_Dor
Employee
Employee

1. Logrytm - we recently released a version of log exporter that support them 

2. w log exporter we export all logs.
Some siem tools can get only leverage limited types of logs (logrythm) but most siem get all logs.
Opsec lea is also generic api and it can integrate all logs and the implementation is dependent on connector (depending on who wrote the connector) 

3. There is no good reason to use opsec lea anymore. Ttbomk log exporter is better in every way (and still like stated above, lea is still supported) 

View solution in original post

HeikoAnkenbrand
Champion Champion
Champion

Check Point supports the Syslog exporter for SIEM applications for R80.10+ managment.

Which allows an easy and secure method for exporting CP logs over syslog. Exporting can be done in few standard protocols and formats.

Log Exporter supports:

  • Splunk
  • Arcsight
  • RSA
  • LogRhythm
  • QRadar
  • McAfee

Log Exporter is a multi-threaded daemon service, running on a log server. Each log that is written on the log server is read by the log exporter daemon, transformed into the desired format and mapping, and then sent to the end target.

➜ CCSM Elite, CCME, CCTE

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
While I do not know for certain, it could be that the information is forwarded via LEA but your SIEM doesn't process said data.
What SIEM are you using?

While we are not eliminating support for LEA anytime soon, Log Exporter is our preferred mechanism for integrating with SIEMs going forward.
0 Kudos
Lucas_Planchere
Explorer

Hello,

Thanks for the answer.

I'm using logrhythm, I think  you are right the problem is on the siem side, I found few article where it works for splunk.. I also found that those field like the web filtering are available through opsec lea.

I will continue my researche on the logrhythm side.

Thanks !

0 Kudos
Amir_Rehman
Contributor

Hi,

I Just wanted to know what logs(blades) are exported to SIEM via LEA opsec. 

I don't seem to get remote vpn logs . I am using FortiSIEM.

Thanks

0 Kudos
Dorit_Dor
Employee
Employee

1. Logrytm - we recently released a version of log exporter that support them 

2. w log exporter we export all logs.
Some siem tools can get only leverage limited types of logs (logrythm) but most siem get all logs.
Opsec lea is also generic api and it can integrate all logs and the implementation is dependent on connector (depending on who wrote the connector) 

3. There is no good reason to use opsec lea anymore. Ttbomk log exporter is better in every way (and still like stated above, lea is still supported) 

HeikoAnkenbrand
Champion Champion
Champion

Check Point supports the Syslog exporter for SIEM applications for R80.10+ managment.

Which allows an easy and secure method for exporting CP logs over syslog. Exporting can be done in few standard protocols and formats.

Log Exporter supports:

  • Splunk
  • Arcsight
  • RSA
  • LogRhythm
  • QRadar
  • McAfee

Log Exporter is a multi-threaded daemon service, running on a log server. Each log that is written on the log server is read by the log exporter daemon, transformed into the desired format and mapping, and then sent to the end target.

➜ CCSM Elite, CCME, CCTE
HeikoAnkenbrand
Champion Champion
Champion

More read here:

R80.10 - Syslog Exporter

➜ CCSM Elite, CCME, CCTE
Amir_Rehman
Contributor

Thank you, however I tried log exporter but I could not get all the logs in FortiSIEM. All i see is firewall logs "deny and accepted connection".

With LEA, I see get more logs in FortSIEM .i.e Identity logging, Firewall accept/deny, policy installation and object modification, Ssh logins to management server, Ips logs etc. But Cannot see remote VPN logs.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events