This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MiteshAgrawal15
Participant
‎2020-01-13 03:35 AM

Audit events not received from Checkpoint R80.10 using Log Exporter Solution

Hi Team,

We are facing issues in getting audit logs from Checkpoint R80.10. We have MicroFocus ArcSight in our environment.

We are receiving the traffic logs without any issues and the same is getting parsed properly. But the audit logs which we receive in "SmartConsole" is parsed as "Log" and nothing much is captured in raw event. At the same time from other firewall which are on R80.20 we are receiving "Log in", " Log Out", "Modify Rule" etc events and username and other details are captured.

The targetconfiguration.xml settings file is set as "all"

<log_types></log_types><!--all[default]|log|audit/-->

 

Also, the output of cp_log_export show command on the management server is:

name: ArcSightLog
enabled: true
target-server: Agent Server IP
target-port: 514
protocol: udp
format: cef
read-mode: semi-unified

 

In one of the thread I saw that the domain-server argument needs to be provided while configuring the log export destination. Can someone please check the above config and tell if it was added or not?

Please help in rectifying the issue. What configuration we need to use in order to receive audit logs from R80.10 using Log exporter solution.

TIA

Regards,

Mitesh Agrawal

0 Kudos
5 Replies
Yatiraj_Panchal
Contributor
‎2020-01-13 04:47 AM

Hi,

Please try below one:

 

Mgmt_Server# cp_log_export status

name: SIEM_NAME
status: Running (88778)
last log read at: N/A
debug file: some locations would be there.

Please check above one it's not showing running then apply command:

Mgmt_Server# cp_log_export start

 

 

0 Kudos
MiteshAgrawal15
Participant
‎2020-01-16 01:48 AM
In response to Yatiraj_Panchal

Hi Yatiraj,

Thanks for your reply.

The status of the log exporter is running as we are receiving traffic logs. We aren't receiving audit logs.

Please help.

Regards,
Mitesh Agrawal
0 Kudos
Yaakov_Ohayon
Employee
Employee
‎2020-01-15 12:12 AM

Hi,

 

Log exporter in R80.10 and in R80.20 is working the same in terms of CEF format, in other words, the format is not changed between those versions.

So my guess is that there is a configuration problem or a network issue.

 

1. Are you sending both traffic logs and audit logs from the same exporter?

2. Are you running it on an MDS environment?

3. Did you check the raw event in ArcSight to see what was exported? (maybe the event is received but not parsed correctly)

 

Sound to me that you need to open a support ticket and include both the answers to the above questions and attach the whole exporter directory:

$EXPORTERDIR/targets/<target-name>

 

Thanks for posting this.

Kobi Ohayon

SmartEvent Core team leader

0 Kudos
MiteshAgrawal15
Participant
‎2020-01-16 01:51 AM
In response to Yaakov_Ohayon

Hi @Yaakov_Ohayon ,

Thanks for your reply.

 

How can I check whether I am sending both traffic logs and audit logs from the same exporter? I have the target configuration provided in the post which shows that "all" logs are forwarded.

Did you check the raw event in ArcSight to see what was exported? (maybe the event is received but not parsed correctly)

- Yes I have checked the raw log but the audit logs aren't there at all.

 

Please help.

 

Regards,

Mitesh Agrawal

0 Kudos
Yaakov_Ohayon
Employee
Employee
‎2020-01-16 02:46 AM
In response to MiteshAgrawal15

In general, the default is to send all logs, including audit logs.

So if you say the logs are not arriving Qradar at all, we need to investigate it either by reviewing the configuration or to run tcpdump and inspect the traffic.

Either way, the right platform is by issuing a support ticket.

 

Thanks,

Kobi Ohayon

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events