- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: Checkpoint OPSEC LEA with LogRhythm SIEM
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Checkpoint OPSEC LEA with LogRhythm SIEM
Hi Everyone,
I have a Smart-1 5150 device that manage 90 checkpoint gateway. I want to integrated it with LogRhythm SIEM.
I was create a host object for LogRhythm SIEM with it IP.
I was create a OPSEC Application for it and also pull certificates from Check Point Smart-1 devices.
Now i need to provide the information below on LogRhythm SIEM :
- opsec_sic_name "OPSEC_APP_SIC_DN"
- lea_server ip IP_ADDRESS
- lea_server auth_port 18184
- lea_server auth_type sslca
- lea_server opsec_entity_sic_name "LOG_SERVER_DN"
- opsec_sslca_file "C:\checkpoint_config\opsec.p12"
"OPSEC_APP_SIC_DN" is the DN name in OPSEC Application which is "CN=LogRhythm-XM,O=CP-Smart1..ksmkv" in my picture. Is this corect ?
"lea_server auth_type" is sslca. Is this only 1 type is sslca or any orther type ?
"LOG_SERVER_DN" i not sure where to collect this infor ? i going to the web portal of Smart-1 device and see the DN in Certificate Authority tab as below :
is this the right DN for "LOG_SERVER_DN". Since Smart-1 devices í manage all orther firewall, the "LOG_SERVER_DN" is the DN of Smart01 device, right ?
Cause after configure, i still can't receive any log on LogRhythm SIEM about Check Point OPSEC. Please help me solve this issue. Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your response, but i'm not really understand what you try to say. Smart-1 server manage all my gateways and by default the gateways send log to Smart-1 server, right ? I don't configure any orther external log server. All i has done is add gateways to Smart-1, Install policy from Smart-1 to gateways. Then, i login SmartConsole to Smart-1 and see logs from gateways. So Smart-1 should be my log server ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The relevant DN should show on the relevant object in SmartConsole.
In any case, Log Exporter is how we are integrating with SIEMs going forward.
Nice to know we have official support in EA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Maarten_Sjouw,
Thanks for your response, i will check the sk you refer and give it a try. Have a nice day!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
In the last few weeks we developed new integration with LogRhythm, based on the log exporter.
If you want, we can add you to the EA program so you will enjoy simple and improved integration between Check Point and LR.
We will contact you personally about it.
Thanks!
Dan.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Dan_Zada,
Yes, it would be great. Please add me to it. I have both Check Point and LogRhythm in my System and i really want to make it work together.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @quanglnh
I added you to our EA program.
I just sent a message with more information about it - please check your CheckMates inbox.
Regards,
Shay
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks alot,
I hope we can solve this issue soon!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Shay
We‘re in the same boat - it would be great if you can add me also to the EA to provide me some additional informations.
Thank you.
Roland
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @startoff
I will ask the relevant people from my group to contact you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could I get access to the EA as well? We have a dedicated CP log server, with our management server as fallback. Our efforts to get LEA setup to LogRhythm for this deployment has not gotten anywhere and would like to see about exporting via log exporter if Checkpoint and LogRhythm have a supported solution now.
Thanks in advance 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My name is Shay and I am in charge of LogRhythm EA program.
I sent you a private massage - please check your inbox.
Regards,
Shay
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We‘re in the same issue - please add me also to the EA program to provide me some additional informations.
Thank you.
Enrique
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Dan
Kindly add me also i have a similar setup
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Dan_Zada,
Kindly add me to EA program.
Regards
Titus
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Dan
Kindly add me to the EA program
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dan
Please can you add us to this EA program?
Many thanks
Stuart
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this EA program the OPSEC LEA for 7.4.1+ Log Processing Policy or something different/new/improved? We'd like to hear more about this program.
Also, I've been searching the help site and cannot find whether the Checkpoint OPSEC application for collection supports Server Core 2019 for the Agent collector server OS?
Thank you
Eric
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have worked with and are continuing to work with a number of SIEM vendors to ensure they can properly parse the logs from Log Exporter.
See: https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-guide/m-p/9035#M968
LEA in general isn't going away, but we are focusing our efforts on improving Log Exporter.
All future integrations should not use LEA and use Log Exporter instead.
With regards to LogRhythm, I'm not exactly sure where this is in the process.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Dan,
Any way I can get in on this EA program as well?
Chris