This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nathaniel_Horsc
Explorer
‎2018-11-23 03:07 AM

CEF field values of Log exporter

Im using Log exporter to forward CEF formated logs to third party SIEM tool where i want to know the default CEF field values for mapping to SIEM.

5 Replies
PhoneBoy
Admin
Admin
‎2018-11-23 10:04 AM

Not sure there are any default values as that will depend on the logs being sent.

Can you elaborate on your question a bit?

What SIEM are you trying to integrate with?

0 Kudos
DeletedUser
Not applicable
‎2018-11-23 10:45 AM

If you don't mind reading XML, check out $EXPORTERDIR/conf/CefFieldsMapping.xml. Attaching for your convenience and examples below. This is from R80.20 GA take 101.

......
<field>
<origName>action</origName>
<dstName>act</dstName>
</field>
......
<field>
<origName>severity</origName>
<dstName>cp_severity</dstName>
<callback>
<name>replace_value</name>
<args>
<arg key="default" value="Unknown"/>
<arg key="0" value="Low"/>
<arg key="1" value="Low"/>
<arg key="2" value="Medium"/>
<arg key="3" value="High"/>
<arg key="4" value="Very-High"/>
</args>
</callback>
</field>
CefFieldsMapping.xml.zip
DeletedUser
Not applicable
‎2018-11-27 11:46 AM

Also see this discussion Log Exporter CEF Field Mappings

Nathaniel_Horsc
Explorer
‎2018-12-07 03:51 AM
In response to DeletedUser

Thanks Bob, It helped. Do we have similar field mapping for Syslog format?

DeletedUser
Not applicable
‎2018-12-15 10:49 AM
In response to Nathaniel_Horsc

Sorry for the delay in answering. The syslog format essentially doesn't map to another format so, aside from the header, you'll get the Check Point field names unmapped.  

# pwd
/opt/CPrt-R80.20/log_exporter/targets/MySyslog

# grep mapping *
.....
targetConfiguration.xml: <!-- Format section determines the form (headers and mappings) of the exported logs -->
targetConfiguration.xml: <mappingConfiguration></mappingConfiguration><!--if empty the fields are sent as is without renaming-->

On a related note there is a project to better define the Check Point field names and to normalize them across products. Bit hidden right now, but you can see in R80.20 the 100+ Threat Prevention field definitions for ALL of SandBlast products (mobile, endpoint, gateway) at the bottom of sk134634: SmartView Cyber Attack View in the Field Documentation section. In the future am sure we'll do a better job of documenting these so they're not buried in an SK like this. For now check out Threat Prevention Log Field Documentation

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events