This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
lucasfn
Explorer
‎2025-07-02 08:21 AM

Duplicate events for the SIEM server via Smart Event

Hello community, I have an environment where the export logs in Smart Event are configured for a server in Syslog format.

However, the SIEM team informed me that the collection server is receiving 2 formats, CEF and Syslog. The CEF event is sending the same information as the other event that is in syslog format, but with a messed up header, whereas the correct information should be in each column within the SIEM tool.

I would like to understand why the collection server is receiving in CEF format if the export is configured to be in Syslog format.

The SIEM team performed a traffic capture and is only receiving traffic from Smart Event.

I consulted management and it is also exporting to the same SIEM server and in Syslog format. Does anyone have any idea why this CEF log is being sent? Is this normal behavior?

Labels
Preview file
20 KB
Preview file
194 KB
Preview file
313 KB
Preview file
239 KB
Preview file
391 KB
Preview file
686 KB
0 Kudos
7 Replies
the_rock
MVP Gold
MVP Gold
‎2025-07-02 12:21 PM

Can you send output of cp_log_export show?

Also, check out below file to make sure there is nothing unusual there.

From my lab, but you get an idea.

Andy

[Expert@CP-MANAGEMENT:0]# pwd
/opt/CPrt-R82/log_exporter/targets/test-log
[Expert@CP-MANAGEMENT:0]# ls
CPMICache fieldsMapping.xml log_indexer_custom_settings.conf
conf log targetConfiguration.xml
data log_exporter tmp
[Expert@CP-MANAGEMENT:0]# more targetConfiguration.xml

the_rock
MVP Gold
MVP Gold
‎2025-07-02 12:23 PM
In response to the_rock

@lucasfn 

I meant below lines specifically.

Andy

<format type="splunk"> <!--syslog | cef | rsa | leef | generic | splunk | this parameter may differ from the type of destination, for example, destination type = files/format type = CEF -->

0 Kudos
lucasfn
Explorer
‎2025-07-02 01:23 PM
In response to the_rock

I got the following feedback. I see that there is another configuration in the CEF format within Smart Event. However, the only server that is configured is this LogExporter_Test_1.

cplog_export_show.png

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-07-02 01:24 PM
In response to lucasfn

That would most likely explain the issue.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-07-02 01:24 PM
In response to lucasfn

Can you delete the first entry and try?

Andy

0 Kudos
lucasfn
Explorer
‎2025-07-02 01:38 PM
In response to the_rock

I will delete it and validate it with the SIEM team. I will be back soon to tell you the result. In the meantime, I appreciate your support.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-07-02 04:43 PM
In response to lucasfn

Im positive that will work.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events