cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
ThomasD
Ivory

Sending Check Point logs via LogExporter to SkyBox

Jump to solution

Hello,

I am curious if anyone has successfully sent Check Point logs to SkyBox via the LogExporter tool.  I was able to send the syslogs to the SkyBox server, but apparently SkyBox cannot interpret it correctly due to a date/time format issue.

According to SkyBox, they are expecting the format below from Check Point CMA (Provider-1):

2013-01-06 16:07:55 Local4.Info 10.1.1.1 cma1: 16Sep2012 15:53:54 accept 10.2.2.2 >eth0 rule: 1; rule_uid: {42B0B1D4-73B6-4FEC-97D0-9BBE0AF18742}; service_id: ssh_version_2; src: 192.168.1.1; dst: 10.2.2.2; proto: tcp; product: VPN-1 & FireWall-1; service: 22; s_port: 53753; product_family: Network;

But, this is what SkyBox is receiving from the Provider-1 instead:

Jun  5 04:00:01 XXXXXXXXXX 2019-06-05T07:59:58Z XXXXXXXXXX CheckPoint 9066 - [action:"XXXXXXXXXX"; flags:"XXXXXXXXXX"; ifdir:"XXXXXXXXXX"; ifname:"XXXXXXXXXX"; loguid:"XXXXXXXXXX"; origin:"XXXXXXXXXX"; time:"XXXXXXXXXX"; version:"XXXXXXXXXX"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={XXXXXXXXXX};mgmt=XXXXXXXXXX;date=XXXXXXXXXX;policy_name=XXXXXXXXXX]"; dst:"XXXXXXXXXX"; origin_sic_name:"XXXXXXXXXX,O=XXXXXXXXXX"; product:"XXXXXXXXXX"; proto:"XXXXXXXXXX"; rule:"XXXXXXXXXX"; rule_name:"XXXXXXXXXX"; rule_uid:"{XXXXXXXXXX"; s_port:"XXXXXXXXXX"; service:"XXXXXXXXXX"; src:"XXXXXXXXXX"; ]

 

Thank you in advance for your help/suggestions.

 

Thomas

0 Kudos
1 Solution

Accepted Solutions

Re: Sending Check Point logs via LogExporter to SkyBox

Jump to solution

Hi Thomas, I apologize about the mixed messaging. 

Check Point’s Log Exporter is 100% standard output format. If we hadn’t went with the standards, we wouldn’t have been accepted as verified partners of Splunk, Arcsight and AlienVault. 

I reached out to Skybox. The reason why Log Exporter is not officially supported by Skybox is because it is technologically different than LEA. So at the moment, in order to use Skybox, LEA must be accepted. 

Check Point is working with Skybox and the rest of our technology partners in order to increase adoption of Log Exporter. LEA is still supported in all versions, however we encourage everyone to move to Log Exporter for efficiency, standardized formats, and TLS support. 

 

 

0 Kudos
3 Replies

Re: Sending Check Point logs via LogExporter to SkyBox

Jump to solution
Not sure it will matter, but which log exporter format did you choose? Does Skybox have a preference?
0 Kudos
ThomasD
Ivory

Re: Sending Check Point logs via LogExporter to SkyBox

Jump to solution

I was told by the SkyBox team that SkyBox expects "structured syslog format".

0 Kudos

Re: Sending Check Point logs via LogExporter to SkyBox

Jump to solution

Hi Thomas, I apologize about the mixed messaging. 

Check Point’s Log Exporter is 100% standard output format. If we hadn’t went with the standards, we wouldn’t have been accepted as verified partners of Splunk, Arcsight and AlienVault. 

I reached out to Skybox. The reason why Log Exporter is not officially supported by Skybox is because it is technologically different than LEA. So at the moment, in order to use Skybox, LEA must be accepted. 

Check Point is working with Skybox and the rest of our technology partners in order to increase adoption of Log Exporter. LEA is still supported in all versions, however we encourage everyone to move to Log Exporter for efficiency, standardized formats, and TLS support. 

 

 

0 Kudos