This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chinmaya_Naik
Advisor
‎2018-07-18 12:17 AM

Exporting Check Point logs over syslog (LogExporter) with Log Server (CP)

Requirement: Exporting Check Point logs over Syslog (LogExporter) to SIEM.
Dedicated Log server (CP) with R77.30 GAIA OS
Step 01: Check the current Hotfix install on Log server (CP)
Using CLI: installed_jumbo_take and cpinfo -y all 
Using WebUI: "Status and Actions"  section.
Step 02: If take_338 or above is exit then skip this step (step 02) or else follow the below process
:- Open the WebUI of Log Serer (CP) then go to the "Status and Actions"  and import the HOTFIX package then verify and then install the package.
:- For Latest HotFix and installation, refer sk106162,sk92449
Hotfix take_338 
NOTE: Verify the MD5 value
 
NOTE: Reboot is required 
Step 03: After installation of jumbo hotfix needs to install the below HOTFIX.
Check_Point_R77.30_Log_Exporter_T25_sk122323_FULL.tgz     Link: R77.30 Log Exporter T30 (R77.30) 
R80.10 Log Exporter T41 sk122323     Link: R80.10 Log Exporter T41 (R80.10)
NOTE: Verify the MD5 value 
NOTE: Reboot is required
:- Open the WebUI of Log Server then go to the "Status and Actions"  and import the HOTFIX package then verify and then install the package.
:- Refer sk92449 for HotFix Installation using CPUSE or legacy CLI method.
 
Step 04: Open the CLI of Log Server (CP) server.
 
Below two command required to execute. 
 
1st:   cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server> target-port <target-port> protocol <(udp|tcp)> format <(syslog)|(cef)> [optional arguments] 
 
EXAMPLE : cp_log_export add name ArcSight target-server 192.168.10.6 target-port 514 protocol tcp format syslog 
 
Name:- Any name example: ArcSight
192.168.10.5: Log server (Checkpoint)
 
 
2nd: cp_log_export  <command-name>
EXAMPLE: 
cp_log_export start      <stop / status  / restart >
Step 05:  verify by running tcpdump command.
EXAMLE:-  tcpdump -nni eth0 port '514'
NOTE: Need to configure from SIEM side as well.
NOTE: Jumbo Hotfix may you take the latest one as per the new release, my case I am using take_338
Refer SK: sk122323 for more details.
NOTE: On R80.20  onwards no need to install any additional HotFix, latest jumbo take is enough.
#Chinmaya Naik
3 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2018-07-18 03:03 AM

See this article for R80.10:

R80.10 Syslog Exporter 

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
DeletedUser
Not applicable
‎2019-01-01 08:27 PM

I'm curious, are you saying you used Log Exporter with the syslog format option to send Check Point logs to Alien Vault?

As far as I can tell, their documentation hasn't included this as an option yet so am curious to see if this is working for you. 

https://www.alienvault.com/documentation/usm-anywhere/supported-plugins/configuring-checkpoint-fw1-g... 

thank you,

bob

0 Kudos
Chinmaya_Naik
Advisor
‎2019-01-01 10:33 PM

Sorry Bob i forget to remove  "(my case Alien Vault)".

Yes you are correct also i check in lab also its not work.Smiley Happy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events