Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Olga_Kuts
Advisor

CheckPoint and ArcSight integration

We implemented CheckPoint and ArcSight integration (via OPSEC server, clear connection).

What logs will be sent to ArcSight? For example, we try to log in via Endpoint Security VPN. In CheckPoint logs we see log in and log out events, but in ArcSight we see only log out events.

Why?

12 Replies
Vladimir
Champion
Champion

Please specify the version of Check Point management server that the ArcSight is retrieving data from.

Additionally, please indicate if you are looking at the parsed or raw data on ArcSight and if any of the fields in the messages on ArcSight contain ***Confidential*** in them.

0 Kudos
Olga_Kuts
Advisor

CheckPoint management server version: R77.30.03.

We had ***Confidential*** fields, but we apply recommendations for clear connection between CP and ArcSight, which help to show these fields.

0 Kudos
Vladimir
Champion
Champion

Did you follow this Arcsight LEA client shows the username field as "Confidential" sk to display user names?

0 Kudos
Olga_Kuts
Advisor

No, we used sk101570, item 3.

Demith_Samaraw2
Contributor

Hi Olga

Did the work on item 3 fixed the issue for you, we have the same issue, where we use ArcSight clear connection (without OPSEC object defined), on SmartEvent R80.10

Following parameter shows as 1 after the given chage, but still I get the ***Confidential***, anything else did you do or just changing the parameters

echo $LEA_CLEAR_DISABLE_CONFIDENTIALITY 

1

0 Kudos
koushik_jalakam
Explorer

Hi,

We are in a planning phase to implement smart-1 with SIEM, can you pls provide with implementation steps or procedure on how to do it?

0 Kudos
Maarten_Lutterm
Contributor

Actually we are running an EA version of logexporter. This is a hotfix so you can send the logs already in CEF format to Arcsight. this wil output all logging you can configure yourself what logging you want to receive.

Don't know when the GA is available but think it will be soon.

best regards,

Maarten Lutterman

PhoneBoy
Admin
Admin

I believe this is part of the LogOut project (discussed here previously).

That said, if you want in on the Early Availability testing, please send me a Private Message.

0 Kudos
Olga_Kuts
Advisor

Dameon,

Thanks for your proposal.

I think we will wait for this logexporter to be tested by the CheckPoint team and officially released.

0 Kudos
MartijnElzenaar
Employee
Employee

Hi, the Log Exporter tool is now official GA and more details can be found in sk122323

Reza_Neshat
Explorer
Explorer

Hi, is Log Exporter the same thing as LogOut? 

0 Kudos
PhoneBoy
Admin
Admin

Yes, LogOut was the Internal name of the project that produced the Log Exporter utility.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events