cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

R80.10 Syslog Exporter

Via Check Point Support you get a Syslog exporter for SIEM applications for R80.10 Managment.

Which allows an easy and secure method for exporting CP logs over syslog. Exporting can be done in few standard protocols and formats.

Log Exporter supports:

  • Splunk
  • Arcsight
  • RSA
  • LogRhythm
  • QRadar
  • McAfee

Log Exporter is a multi-threaded daemon service, running on a log server. Each log that is written on the log server is read by the log exporter daemon, transformed into the desired format and mapping, and then sent to the end target.

 

Installation on R80.10 Jumbo Hotfix Take 56 or higher.

 

Syntax:

# cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server> target-port <target-port> protocol <(udp|tcp)> [optional arguments]

 

Command Name

Command Description

add

Deploy a new Check Point logs exporter.

set

Updates an exporter's configuration.

delete

Removes an exporter.

show

Prints an exporter's current configuration.

status

Shows an exporter's overview status.

start

Starts an exporter process

stop

Stops an exporter process.

restart

Restarts an exporter process.

reexport

Resets the current position, and re-exports all logs per the configuration.

 

Regards,

Heiko

Tags (1)
48 Replies

Re: R80.10 Syslog Exporter

Where can I get the installation package?

Vladimir
Jade

Re: R80.10 Syslog Exporter

Heiko,

If you've had a chance to use this tool, please advise if it is possible to:

1. Create separate processes for individual gateways writing to the log server?

2. Resolve gateway names before shipping logs to the destination SIEM for the "Origin" fields?

Thank you,

Vladimir

Re: R80.10 Syslog Exporter

Hello Vladimir,

You can install multiple instances of the log exporter but you cannot separate them by gateways.

The tool reads from the log files (such as fw.log) in your $FWDIR/log directory. 
There are some filtering capabilities, but for the first release, they are mostly focused on key (field) based filters and not value based filters.

You can filter by 'action' but not by 'accept'/'drop'.

We plan to add more advanced filtering capabilities in future releases.

regards,

 Yonatan 

Vladimir
Jade

Re: R80.10 Syslog Exporter

Thank you for the info.

Any plans to re-introduce syslog output directly from gateways, the r77.30 style?

Re: R80.10 Syslog Exporter

Are you referring to the OPSEC LEA tool?
If so, I personally am not aware of any such plans to refresh it, but as far as I know, that tool still exists in R80.10.

The new log exporting tool is a direct replacement for the CPLogToSyslog tool. We will be retiring the CPLogToSyslog tool, but I don't know of any plan to retire other tools (such as the OPSEC LEA tool).

Regards,

 Yonatan 

Re: R80.10 Syslog Exporter


Hi,

the tool is very helpful.

We have two customers who use it. 

Can you say something about how it's gonna be included in the next HFA?

Little note:
The Syslog entry contains firewall rules and thread rules in one line. So some fields have the same name, we have the problem that we cannot index the fields in LogRythm.

Re: R80.10 Syslog Exporter

Hello Heiko,

The plan at this point in time is to have the tool directly integrated into R80.20 (no hotfix needed).

Regarding a future R80.10 HFA integration - at this point in time we have not yet reached a decision on this subject.

As to your point on LogRhythm - it's true that there are many instances where fields will be sent more than once.
Sometimes it will be the same field (that is, both instances will have identical information) and sometimes it will be different fields, such as in the case of multiple layers (each layer will have an action field).

We plan to address the former to some degree in the next log exporter release, but the later is inherent to the way our logs are built. I don't think there is any feasible way to resolve this while still keeping all the relevant data in the log.

Those fields appear twice because they represent data which appears twice (like the above example, of one action per layer).

We have been in contact with LogRhythm, and they are aware of the new tool, and I also know that they have been working on it from their end. 

However, I cannot speak for them and am not privy to the details of how/if they plan to address this.

Regards,

 Yonatan 

Re: R80.10 Syslog Exporter

Hello Yonatan,

thx for this info. 

Regards,

Heiko

Re: R80.10 Syslog Exporter

Have you also discussed this with AlienVault? You still have a partnership with them, yes?

0 Kudos
Vladimir
Jade

Re: R80.10 Syslog Exporter

0 Kudos

Re: R80.10 Syslog Exporter

I am also interested in this since I have one firewall cluster for PCI that I need to syslog only its data into a Splunk.

Admin
Admin

Re: R80.10 Syslog Exporter

We are planning to release this tool more generally very VERY soon Smiley Happy

Re: R80.10 Syslog Exporter

In witch hotfix?

0 Kudos
Admin
Admin

Re: R80.10 Syslog Exporter

The official release: Logs Exporter - Check Point Logs Export 

To answer your question about "which hotfix" christian konner‌, it's installed over a R77.30/R80.10 management/log server (not gateway) with a recent jumbo hotfix.

Re: R80.10 Syslog Exporter

Hi, I've used the CPLogToSyslog package to export the check point logs (based on the cplogtostosyslog rules) to an external syslog server (Extreme Networks Management server) for automate the process for block ip address to the edge of the networks via ExtremeControl NAC.

Now seems that the new method described above is compatible only with some SIEM, but is not general as the previous one, and most important is not possible to define rules for filter was is important to export to the SIEM.

Is this true?

How is possible to know more and test the new tool for see if is still possible to integrate with the Extreme Management syslog server.

Thanks,

Antonio

0 Kudos

Re: R80.10 Syslog Exporter

sk122323 Logs Exporter - Check Point Logs Export  says that Log Exporter supports:

  • SIEM applications: Splunk\Arcsight\RSA\LogRhythm\QRadar\McAfee\rsyslog\ng-syslog and any other SIEM application that can run a syslog agent.

  • Protocols: syslog over TCP or UDP.

  • Formats: Syslog, CEF, LEEF, Generic.

  • Security: Mutual authentication TLS.The ability to export logs/audit or both.

  • Filter out (don't export) firewall connections logs.

Re: R80.10 Syslog Exporter

Has anyone heard more about being able to filter out firewall connection logs (as Günther mentioned from the sk122323?

Re: R80.10 Syslog Exporter

Hi,

when will be supported the filter out of all the blades (Threat Emulation, IPS, ThreatAV, etc...)?

Regards

0 Kudos

Re: R80.10 Syslog Exporter

Hello Antonio,

We plan to address this gap in a future release.

I don't have any information about what exactly the next release will contain nor when it will be released.

I've created a log exporter guide in another post that covers this and many other questions.

You can find it at Log Exporter guide.

I hope you'll find it helpful.

Regards,

 Yonatan 

Re: R80.10 Syslog Exporter

Would it be possible to get sample sanitized logs for each blade type for development use please? 

0 Kudos
Admin
Admin

Re: R80.10 Syslog Exporter

You should be able to stand up a test gateway with an evaluation license and generate whatever logs you need.

https://www.checkpoint.com/try-our-products/

Re: R80.10 Syslog Exporter

It sounded too good.

On my lab R80.10 with T91 it fails towork as it seems to get in a pickle about permissions.

This showed up in /opt/CPrt-R80/log_exporter/targets/SYSLOG/log/log_indexer.elg:

[log_indexer 27834 4139846544]@fwmgmt[3 Apr 14:03:10] SyslogUDPSender::sendPacket - failed to send packet: <30>Tue Apr 3 14:03:10 CheckPoint Syslog started

[log_indexer 27834 4129356688]@fwmgmt[3 Apr 14:03:10] SyslogUDPSender::connec - failed to send initial message with handler to [loghost(-1):514]

I initiated this with:

[log_indexer 27834 4139846544]@fwmgmt[3 Apr 14:03:10] SyslogUDPSender::sendPacket - failed to send packet: <30>Tue Apr 3 14:03:10 CheckPoint Syslog started

[log_indexer 27834 4129356688]@fwmgmt[3 Apr 14:03:10] SyslogUDPSender::connec - failed to send initial message with handler to [loghost(-1):514]

The host loghost is known as object and it is present in /etc/hosts

Other syslog traffic from GAIA works without a problem. ..... (come to think of this. Might this be the issue?)

Re: R80.10 Syslog Exporter

Hello Hugo,

This is a known issue that stems from an attempt to improve the interface (an attempt which sadly backfired...).
The original parameter name was 'target-ip'. It was changed based on customer feedback to 'target-server', but the backend stayed the same - expecting an IP-address. 

Add to this the fact that we didn't implement a verification mechanism on the input (to make sure it's a valid IP address) and we have a bug.

We already have a task for this and it will be addressed in the next release.

For now, the simple fix is to use an IP-address for the 'target-server' parameter.

Hope this helps,

Yonatan 

Re: R80.10 Syslog Exporter

Check! That fixed my issue.

(No stroopwafels for who ever made that half way change.)

phlrnnr
Copper

Re: R80.10 Syslog Exporter

Hugo van der Kooij -  Any comment that refers to stroopwafels gets a thumbs up in my book ;-)

Biju_Nair
Nickel

Re: R80.10 Syslog Exporter

I was able to successfully configure it in MDS environment. And also the cp_log_export status showed me correct information.

But on a SMS 1 - 210 appliance running on latest take(103)  R 80.10 when i installed and configured the log_exporter. i got this warning(Failed to find the env variables.... ) but it continued to send the logs to syslog server.

Just later when i tried to see the status of the same, i got this error:-

it seems somehow it used the log_indexer directory instead of EXPORTERDIR, not sure why

any advise. ?

0 Kudos

Re: R80.10 Syslog Exporter

Hello Biju,

When you install the log exporter hotfix it adds the $EXPORTERDIR environmental variable.

Since the hotfix doesn't require a reboot, you need to manually reset the ssh connection for the new variable to be added to your environment.

Since you didn't log out the variable didn't exist when you tried to deploy it, and so it generated an error and used the $INDEXDIR variable instead (in the status output you can see the location is under 'log_indexer' instead of 'log_exporter').

This is not an optimal solution. I would recommend deleting the existing the deployment (using the delete flag) and redeploying it so that it's deployed in the correct location. If the delete flag doesn't work you might have to manually delete the exporter (cpstop; delete the folder; cpstart).

If you want to verify if the $EXPORTERDIR variable exists, you can just try to write it down in expert mode and use the auto-complete (tab) to see if the OS environment recognizes the variable or not.

(I actually remembered this as being blocked because of those errors, but I guess I'm misremembering...)

P.S. just to clarify, this deployment should still work as expected, but as the 'show' flag error shows, it's not seamless, which is why I recommended to remove/redeploy.

Regards,

 Yonatan 

0 Kudos
Biju_Nair
Nickel

Re: R80.10 Syslog Exporter

Please see this snapshot.

Also when i try to delete, it didn't allow me to delete it. Should i try to delete the EXPORTERDIR manually.

After deleting the EXPORTERDIR manually, will it create the EXPDIR again automatically.(After cpstart).

0 Kudos

Re: R80.10 Syslog Exporter

Hello,

Since the $EXPORTERDIR wasn't defined at the time of deployment, the exporter was deployed to /opt/CPrt-R80/log_indexer/targets/ (you can see the location in the show status output).

Now that the $EXPORTERDIR variable is defined it's looking for it (and trying to delete it) in the 'correct' location.

That's why I said you might have to manually delete it and then redeploy it.

I would use 'rm -r /opt/CPrt-R80/log_indexer/targets/*'  (as with any other time that you use rm with a wild card, I would advise to exercise caution and make sure you are deleting the right location/content and nothing else).

I think we could have and should have handled this scenario better. This sort of mixup and confusion is why this should have been blocked in my opinion (I already have an open RFE to block deployment in case the $EXPORTERDIR variable is not defined).

Edit: Just noticed that the command should be: cp_log_export delete name XXXX  (you're missing the name parameter)

HTH 

 Yonatan