Showing results for 
Search instead for 
Did you mean: 
Create a Post
inside Logging and Reporting 6 hours ago
views 2195 1 3

Log Exporter LEEF Field Mappings

Please use this discussion as a guide to understand how Check Point syslog Log Exporter maps Check Point logs to the LEEF format. This discussion is based upon R80.30 and may change in future versions. LEEF fields have their own names such as cat, devTime, url, etc. Check Point fields such as src and dst that already match a LEEF field name do not need to be mapped from a Check Point to a LEEF name so are not covered in this discussion. Note: in this discussion we refer to the raw Check Point field value. Check Point may translate the raw field name to show a different display name in the user interface like Tracker in R77.30 or SmartConsole in R80.x. LEEF Event Components, IBM Knowledge Center The Log Event Extended Format (LEEF) is a customized event format for IBM Security QRadar. The LEEF format consists of the following components. LEEF Header Mapping The LEEF header is a required field and is composed of a pipe delimited (|) set of values that identifies Check Point events to QRadar. Check Point fields are added to the header as specified in assign_order in the file $EXPORTERDIR/conf/LeefFormatDefinition.xml: first (use first added value - default) last (use last added value) join (join between values) init (set value once to header formatted string on init and do not generate per every log) LEEF Format Header Definition Examples (note: a space is added between the “|” delimiter to make it easier to see the values). LEEF:Version | Vendor | Product | Version | Event ID | LEEF: 2.0 | Check Point | Log Update | 1.0 | Check Point Log | LEEF Version: assign_order is set to init LEEF: 2.0 Vendor: the assign_order is set to init Check Point Product: the assign_order is set to first This default is Log Update, but may also be the value from the fields; product or productname. Version: the assign_order is set to init 1.0 Event ID, the assign_order is set to init The default is Check Point Log, but may also be the value from the fields protection_name, appi_name, action. Event Attributes The event attributes identify the payload information of the event in a set of key value pairs that provide detailed information about the security event. Each event attribute is separated by the tab delimiter character. Examples key=value<tab>key=value<tab>key=value<tab>key=value<tab> src= dst= sev=5 cat=accept srcPort=81 dstPort=21 Predefined LEEF Event Attributes, IBM Knowledge Center The LEEF format contains a number of predefined name=value pairs event attributes, which allow QRadar to categorize and display the event. Log Exporter uses these keys when possible. Custom Event Keys, IBM Knowledge Center Vendors and partners have the option to define their own custom event keys and include them in the payload of the LEEF format. Check Point events that do not fall into one of the pre-defined LEEF event attributes are non-normalized, which means they are not displayed by default on the Log Activity tab of QRadar. To view custom attributes and non-normalized events on the Log Activity tab of QRadar, you must create a custom event property. Non-normalized event data is still part of your LEEF event, is searchable in QRadar, and is viewable in the event payload. Mapping of Check Point Fields to Pre-defined LEEF Event Attributes The below is the Log Exporter LEEF Field Mapping from R80.30 from $EXPORTERDIR/conf/LeefFieldsMapping.xml where origName is the Check Point raw field name and dstName is the LEEF attribute sorted by the LEEF dstName field name. Callback Functions In the name column are example uses of the callback functions where the value is replace_value. This function swaps values based on a key:value chart. We use this to map the Check Point severity (and other fields) to known LEEF values. origName dstName name key value tableName attack_information attackInformation attack_name attackName status attackStatus business_impact businessImpact action cat industry_reference cve resource destinationDnsDomain resource_table time devTime client_dst dst ipv6_dst dst received_bytes dstBytes server_inbound_bytes dstBytes client_inbound_bytes dstBytes mac_destination_address dstMAC d_port dstPort destination_port dstPort xlatedst dstPostNAT xlatedport dstPostNATPort recipient-recipients emailRecipient from emailSender sender emailSender subject emailSubject supress_logs eventsCoalesced extracted_files extractedFiles extracted_file_types extractedFileTypes extracted_hash extractedHash file_MD5 fileHash file_id fileID file_id fileId file_table file_name filename file_size fileSize filetype fileType file_name fname aggregated_file_table file_name fname file_table file_size fsize file_table OU_group identGrpName source_machine_name identHostName malware_family malware malware_activity malwareActivity packet_capture pcap performance_impact performanceImpact phone_number phoneNumber policy_name policy policy policyName profile profileName protocol proto remediated_files remediatedFiles app_risk sev replace_value default 0 app_risk sev replace_value 0 0 app_risk sev replace_value 1 2 app_risk sev replace_value 2 4 app_risk sev replace_value 3 6 app_risk sev replace_value 4 8 app_risk sev replace_value 5 10 severity sev replace_value default 0 severity sev replace_value 0 0 severity sev replace_value 1 2 severity sev replace_value 2 5 severity sev replace_value 3 8 severity sev replace_value 4 10 app_risk sev replace_value default Unknown match_table app_risk sev replace_value 0 Unknown match_table app_risk sev replace_value 1 Low match_table app_risk sev replace_value 2 Low match_table app_risk sev replace_value 3 Medium match_table app_risk sev replace_value 4 High match_table app_risk sev replace_value 5 Very-High match_table app_risk sev replace_value default Unknown primary_application app_risk sev replace_value 0 Unknown primary_application app_risk sev replace_value 1 Low primary_application app_risk sev replace_value 2 Low primary_application app_risk sev replace_value 3 Medium primary_application app_risk sev replace_value 4 High primary_application app_risk sev replace_value 5 Very-High primary_application sha1 sha1 sha256 sha256 protection_name signature client_ip src ipv6_src src sent_bytes srcBytes server_outbound_bytes srcBytes client_outbound_bytes srcBytes imsi srcMAC mac_source_address srcMAC s_port srcPort xlatesrc srcPostNAT xlatesport srcPostNATPort proxy_source_ip srcProxyIP suspicious_events suspiciousEvents destination_dns_hostname url resource url orig_from usrName user usrName
Kaloyan_Kirchev inside Logging and Reporting yesterday
views 50 1

SmartEvent not showing accurate info

Hello Guys,My Company has old CP 4800 with R77.30 which we are using for Security Checkups.I have been doing this like 3,4 times but this it get....."stuck".First I want to mention that I went through almost all articles last couple of days and did many troubleshooting steps but without any success.So, last time when appliance was at client site 'gathering' network info it get very hot. This is because it was with 4GB of ram, so CPU was all the time like 98% utilization and same for the RAM.Now, since yesterday(I was waiting weeks for delivery) it has 8GB of RAM.So, my problem is that I had 8gb of log files but SmartEvent is showing 256MB for the last 2 weeks.This is very strange. Bellow you can find some screenshots from:1. #cpstat cpsead - seems ok but the number of analyzed logs still growing2. Number of logs:3. Lately SmartEvent crashes but report is empty - 0 in size4. SmartReported DB - no logs/sec, status - processingEVERY help will be highly appreciated!I want to thank in advance for those who ever make an effort to read 🙂P.S.: I do not want to update at that moment - just want to keep raw data logs which are VERY IMPORTANT.If you have suggestion to how to do a clean/fresh/good install or refresh of the appliance saving the logs - will be perfect.P.S.2: I have logs through WinSCP at my PC.Have a nice day!Greetings K.Kirchev!
christophe inside Logging and Reporting yesterday
views 35

SNMP MIB Files for R80.30?

Hello everyone,Will there be new MIB Files for R80.30 or are there no changes to R80.20?SK: sk90470 Greetings,Chris
CHINMAYA_NAIK inside Logging and Reporting Monday
views 2348 7 5

CP Firewall Health Checkup Tool (Tools name added)

Dear Team,I need to know is there any alternative tool for checking the Firewall Health for both R77.30 or R80.1. CPSizeme (sk88160)2. (sk121447)3. CPView Utility (sk101878)4. Common Check Point Commands (ccc)(Link:-Common Check Point Commands (ccc))5. Indeni (Link:-Check Point Solution | Indeni )Please suggest me if you know any alternate tool.Based on the comments I update that tool name on the list.Thank you #Chinmaya Naik

How to restore logs and logging questions ...

Just as a disclaimer i have only been working with checkpoint products for a few months and have been somewhat thrown in at the deep end! I'm not complaining as it seems to be a good product and its the best way to learn. What is the difference between Log correlation and IndexingHow can i see what has and has not been correlated / indexed? Can i monitor the current process of correlation / indexing?In the scenario i describe below do I also need to import the policy to get the best results? #In the scenario i describe below can we be doing anything better?The situation I am in is we have been contacted by someone who needs to see the logs from around 3 months ago. We currently run a task overnight to take files that are in $FWDIR/log/ and over 10 days old zip them up and put them onto a remove server. To restore these logs i have...spun up a temporary management serverrun cpstopcopied the zipped log files into a tmp directory and then unzipped them back into $FWDIR/log/we have edited vi $INDEXERDIR/log_indexer_custom_settings.conf to include " :days_to_index (365)" run cpstart Configured the management server to run the "SmartEvent Server" and "SmartEvent Correlation Unit" and published the change.Confirmed the management server object is configured for "Enable Log Indexing" under the logs section. Confirmed the management server object is has "Delete index files older than" unticked under the Logs->Storage section. When i then go into Logs and Monitor and search for stuff in these logs i cant see anything, suggesting the log files have not been indexed? What i can do is go File -> Open Log File..., select a specific log file and then search for what i need. What i need to do is work with the full 24 hours worth of logs in one go though (we generate about a log and hour)?! If i configure a report to run on the data am i only able to run it on one log file at a time? This all seems very in-efficient for a production well known for its logging capabilities so I'm pretty sure this is PICNIC/Layer8!

All online jobs-The Correlation Unit can't connect to one of its Log Servers

Had to shutdown over the weekend for some power installation. Got in this morning, booted up the management station (R80.10) and had this errorWarning (All online jobs-The Correlation Unit can't connect to one of its Log Servers. Please make sure connectivity between the Correlation Unit and Log Server isn't blocked. There is no need to stop the job.)Would appreciate all the helpThank You

Wrong mostly weird value show ed in log

Hey check mates does anyone encountered the same issue?Logged traffic are showed with incorrect value , security gateway is 80.20 with thake 47 same as management station env is multidomain
et_splunker inside Logging and Reporting Sunday
views 47 1

Need Help in How to Ingest Checkpoint Firewall Health Status Logs into Splunk.

We are currently using the Splunk App for Checkpoint to ingest traffic logs into Splunk. We want to start ingesting firewalls health check logs (CPU, disk space, Memory utilization...) into Splunk. The logs that are being sent to the syslog server from the management server don't include these health check logs. Can we configure the management server (OPSEC LEA) to do polling on the firewalls and ingest the logs from OPSEC LEA server? Or, is there any other way to do it?
Gareth_Kik inside Logging and Reporting Friday
views 106 5

Does Check Point support Web Browser Agent Logging?

We want to find Web Browser User Agent details in to the logging. I mean this info, picture below:In the Application/URL Filtering logging events, I can see only "Web browser" name eg Chrome, but not the full Web Browser User Agent info.Can we somehow log this in the rules or it is not supported feature?
NAMKYUN_KIM inside Logging and Reporting Friday
views 84 1

Log Exporter - Log Field description

Hello All,This is Tim. I'm using Checkpoint 4600 and Log Exporter to get Syslog from device into my log server.Actually, It is pretty good well. but I don't know that when i explore the syslog which comes from checkpoint, I couldn't understand what each fields mean. link, there are lots of filed of syslog. but they don't tell us what each fields mean. So, Where can I get information of syslog field?
Michael_Horne inside Logging and Reporting Thursday
views 3559 10 1

R80.20: Administrators cannot log into Web Smartview GUI

Hello,I have a management server running R80.20.Some administrators can log into the Smartview Web GUI, while some of them can. The affected administrators can log into the Smart Console. The can access the Log and Monitoring section and can query and view logs using SmartConsole. The same user is not able to connect to the SmartView Web GUI. The message "Invalid username and password"When you look at the active sessions in the SmartConsole you can see the user has a "SmartView" session.I have recreated the affected administrators.I have restarted the management server.Does anyone have any ideas?
TheRealDiZ inside Logging and Reporting Thursday
views 1480 5

Not able to access SmartView R80.20

Hi Guys! I'm not able to access SmartView on R80.20 with error "Authentication to server failed".I'm using the same "admin" user with which I'm able to access SmartConsole, SSH, Gaia Portal. Anyone is experiencing the same?I have to configure something in specific? @RealD!Z
Michael_Goessma inside Logging and Reporting Thursday
views 351 2

SmartEvent: No Log Indexing after changing IP Address

Hi Mates,at one of my customers I have a R80.20 SmartCenter and a dedicated Logserver/SmartEvent machine running. Today I changed IP addresses of management server and log server. I did a SIC reset on the log server afterwards because it didn't come up properly.Currently, there are still no logs in SmartConsole. I can see logs in Smartview Tracker, so the firewalls are sending logs and the log server is processing them.To me it seems like the SmartEvent instance messed up its database or parts of it. The Doctor Log Script shows 2 errors:ERROR : [27 Jun 10:28:45] - Failed to find myself sic name in the registryERROR : [27 Jun 10:24:22] - Could not read from remote log server:Failed to connect to log server <Mgmt Server IP>:18184 Install Database didn't help.Any ideas, anyone?Cheers,Michael
Matt_Dunn inside Logging and Reporting a week ago
views 2854 7 2

User last login

Hi all,One thing I was really hoping R80 would provide is a simple way of reporting on user last login date/time.I can't find a way to get this info.Does anyone know how to get this? I simply want an easy way to report user login, so I can easily see which user accounts haven't been used in the last x weeks/months and target those accounts for deletion. Anyone got any ideas? This should be the easiest thing for Check Point to add, and in all these years it still hasn't happened so far as I can tell Thanks,Matt
rajesh_s inside Logging and Reporting a week ago
views 7337 10 1

Disable CBC mode cipher encryption and enable CTR or GCM cipher mode

In R77.30 i need enable the CTR or GCM cipher mode encryption instead of CBC cipher encryption, Please some one help me to fix this issue.