Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chinmaya_Naik
Advisor

Exporting Check Point logs over syslog (LogExporter) with Log Server (CP)

Requirement: Exporting Check Point logs over Syslog (LogExporter) to SIEM.
Dedicated Log server (CP) with R77.30 GAIA OS
Step 01: Check the current Hotfix install on Log server (CP)
Using CLI: installed_jumbo_take and cpinfo -y all 
Using WebUI: "Status and Actions"  section.
Step 02: If take_338 or above is exit then skip this step (step 02) or else follow the below process
:- Open the WebUI of Log Serer (CP) then go to the "Status and Actions"  and import the HOTFIX package then verify and then install the package.
:- For Latest HotFix and installation, refer sk106162,sk92449
Hotfix take_338 
NOTE: Verify the MD5 value
 
NOTE: Reboot is required 
Step 03: After installation of jumbo hotfix needs to install the below HOTFIX.
Check_Point_R77.30_Log_Exporter_T25_sk122323_FULL.tgz     Link: R77.30 Log Exporter T30 (R77.30) 
R80.10 Log Exporter T41 sk122323     Link: R80.10 Log Exporter T41 (R80.10)
NOTE: Verify the MD5 value 
NOTE: Reboot is required
:- Open the WebUI of Log Server then go to the "Status and Actions"  and import the HOTFIX package then verify and then install the package.
:- Refer sk92449 for HotFix Installation using CPUSE or legacy CLI method.
 
Step 04: Open the CLI of Log Server (CP) server.
 
Below two command required to execute. 
 
1st:   cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server> target-port <target-port> protocol <(udp|tcp)> format <(syslog)|(cef)> [optional arguments] 
 
EXAMPLE : cp_log_export add name ArcSight target-server 192.168.10.6 target-port 514 protocol tcp format syslog 
 
Name:- Any name example: ArcSight
192.168.10.5: Log server (Checkpoint)
 
 
2nd: cp_log_export  <command-name>
EXAMPLE: 
cp_log_export start      <stop / status  / restart >
Step 05:  verify by running tcpdump command.
EXAMLE:-  tcpdump -nni eth0 port '514'
NOTE: Need to configure from SIEM side as well.
NOTE: Jumbo Hotfix may you take the latest one as per the new release, my case I am using take_338
Refer SK: sk122323 for more details.
NOTE: On R80.20  onwards no need to install any additional HotFix, latest jumbo take is enough.
#Chinmaya Naik
3 Replies
HeikoAnkenbrand
Champion
Champion

See this article for R80.10:

R80.10 Syslog Exporter 

Regards

Heiko

Bob_Bent
Mod
Mod

I'm curious, are you saying you used Log Exporter with the syslog format option to send Check Point logs to Alien Vault?

As far as I can tell, their documentation hasn't included this as an option yet so am curious to see if this is working for you. 

https://www.alienvault.com/documentation/usm-anywhere/supported-plugins/configuring-checkpoint-fw1-g... 

thank you,

bob

0 Kudos
Chinmaya_Naik
Advisor

Sorry Bob i forget to remove  "(my case Alien Vault)".

Yes you are correct also i check in lab also its not work.Smiley Happy

0 Kudos