This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Olga_Kuts
Advisor
‎2018-01-22 03:04 AM

CheckPoint and ArcSight integration

We implemented CheckPoint and ArcSight integration (via OPSEC server, clear connection).

What logs will be sent to ArcSight? For example, we try to log in via Endpoint Security VPN. In CheckPoint logs we see log in and log out events, but in ArcSight we see only log out events.

Why?

Labels
12 Replies
Vladimir
Champion
Champion
‎2018-01-22 05:58 AM

Please specify the version of Check Point management server that the ArcSight is retrieving data from.

Additionally, please indicate if you are looking at the parsed or raw data on ArcSight and if any of the fields in the messages on ArcSight contain ***Confidential*** in them.

0 Kudos
Olga_Kuts
Advisor
‎2018-01-22 07:28 AM
In response to Vladimir

CheckPoint management server version: R77.30.03.

We had ***Confidential*** fields, but we apply recommendations for clear connection between CP and ArcSight, which help to show these fields.

0 Kudos
Vladimir
Champion
Champion
‎2018-01-22 07:57 AM
In response to Olga_Kuts

Did you follow this Arcsight LEA client shows the username field as "Confidential" sk to display user names?

0 Kudos
Olga_Kuts
Advisor
‎2018-01-22 08:01 AM
In response to Vladimir

No, we used sk101570, item 3.

Demith_Samaraw2
Contributor
‎2018-06-06 06:16 PM
In response to Olga_Kuts

Hi Olga

Did the work on item 3 fixed the issue for you, we have the same issue, where we use ArcSight clear connection (without OPSEC object defined), on SmartEvent R80.10

Following parameter shows as 1 after the given chage, but still I get the ***Confidential***, anything else did you do or just changing the parameters

echo $LEA_CLEAR_DISABLE_CONFIDENTIALITY 

1

0 Kudos
koushik_jalakam
Explorer
‎2018-04-10 11:03 PM
In response to Olga_Kuts

Hi,

We are in a planning phase to implement smart-1 with SIEM, can you pls provide with implementation steps or procedure on how to do it?

0 Kudos
Maarten_Lutterm
Contributor
‎2018-01-31 11:35 PM

Actually we are running an EA version of logexporter. This is a hotfix so you can send the logs already in CEF format to Arcsight. this wil output all logging you can configure yourself what logging you want to receive.

Don't know when the GA is available but think it will be soon.

best regards,

Maarten Lutterman

PhoneBoy
Admin
Admin
‎2018-02-01 04:04 PM
In response to Maarten_Lutterm

I believe this is part of the LogOut project (discussed here previously).

That said, if you want in on the Early Availability testing, please send me a Private Message.

0 Kudos
Olga_Kuts
Advisor
‎2018-02-12 12:21 AM
In response to PhoneBoy

Dameon,

Thanks for your proposal.

I think we will wait for this logexporter to be tested by the CheckPoint team and officially released.

0 Kudos
MartijnElzenaar
Employee
Employee
‎2018-03-20 06:27 AM
In response to Olga_Kuts

Hi, the Log Exporter tool is now official GA and more details can be found in sk122323

Reza_Neshat
Explorer
Explorer
‎2018-03-23 03:31 AM
In response to MartijnElzenaar

Hi, is Log Exporter the same thing as LogOut? 

0 Kudos
PhoneBoy
Admin
Admin
‎2018-03-23 04:28 AM
In response to Reza_Neshat

Yes, LogOut was the Internal name of the project that produced the Log Exporter utility.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events