Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chinmaya_Naik
Advisor

Exporting Check Point logs over syslog (LogExporter) with Log Server (CP)

Requirement: Exporting Check Point logs over Syslog (LogExporter) to SIEM.
Dedicated Log server (CP) with R77.30 GAIA OS
Step 01: Check the current Hotfix install on Log server (CP)
Using CLI: installed_jumbo_take and cpinfo -y all 
Using WebUI: "Status and Actions"  section.
Step 02: If take_338 or above is exit then skip this step (step 02) or else follow the below process
:- Open the WebUI of Log Serer (CP) then go to the "Status and Actions"  and import the HOTFIX package then verify and then install the package.
:- For Latest HotFix and installation, refer sk106162,sk92449
Hotfix take_338 
NOTE: Verify the MD5 value
 
NOTE: Reboot is required 
Step 03: After installation of jumbo hotfix needs to install the below HOTFIX.
Check_Point_R77.30_Log_Exporter_T25_sk122323_FULL.tgz     Link: R77.30 Log Exporter T30 (R77.30) 
R80.10 Log Exporter T41 sk122323     Link: R80.10 Log Exporter T41 (R80.10)
NOTE: Verify the MD5 value 
NOTE: Reboot is required
:- Open the WebUI of Log Server then go to the "Status and Actions"  and import the HOTFIX package then verify and then install the package.
:- Refer sk92449 for HotFix Installation using CPUSE or legacy CLI method.
 
Step 04: Open the CLI of Log Server (CP) server.
 
Below two command required to execute. 
 
1st:   cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server> target-port <target-port> protocol <(udp|tcp)> format <(syslog)|(cef)> [optional arguments] 
 
EXAMPLE : cp_log_export add name ArcSight target-server 192.168.10.6 target-port 514 protocol tcp format syslog 
 
Name:- Any name example: ArcSight
192.168.10.5: Log server (Checkpoint)
 
 
2nd: cp_log_export  <command-name>
EXAMPLE: 
cp_log_export start      <stop / status  / restart >
Step 05:  verify by running tcpdump command.
EXAMLE:-  tcpdump -nni eth0 port '514'
NOTE: Need to configure from SIEM side as well.
NOTE: Jumbo Hotfix may you take the latest one as per the new release, my case I am using take_338
Refer SK: sk122323 for more details.
NOTE: On R80.20  onwards no need to install any additional HotFix, latest jumbo take is enough.
#Chinmaya Naik
3 Replies
HeikoAnkenbrand
Champion Champion
Champion

See this article for R80.10:

R80.10 Syslog Exporter 

Regards

Heiko

➜ CCSM Elite, CCME, CCTE
DeletedUser
Not applicable

I'm curious, are you saying you used Log Exporter with the syslog format option to send Check Point logs to Alien Vault?

As far as I can tell, their documentation hasn't included this as an option yet so am curious to see if this is working for you. 

https://www.alienvault.com/documentation/usm-anywhere/supported-plugins/configuring-checkpoint-fw1-g... 

thank you,

bob

0 Kudos
Chinmaya_Naik
Advisor

Sorry Bob i forget to remove  "(my case Alien Vault)".

Yes you are correct also i check in lab also its not work.Smiley Happy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events