Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chinmaya_Naik
Advisor

Exporting Check Point logs over syslog (LogExporter) with Log Server (CP)

Requirement: Exporting Check Point logs over Syslog (LogExporter) to SIEM.
Dedicated Log server (CP) with R77.30 GAIA OS
Step 01: Check the current Hotfix install on Log server (CP)
Using CLI: installed_jumbo_take and cpinfo -y all 
Using WebUI: "Status and Actions"  section.
Step 02: If take_338 or above is exit then skip this step (step 02) or else follow the below process
:- Open the WebUI of Log Serer (CP) then go to the "Status and Actions"  and import the HOTFIX package then verify and then install the package.
:- For Latest HotFix and installation, refer sk106162,sk92449
Hotfix take_338 
NOTE: Verify the MD5 value
 
NOTE: Reboot is required 
Step 03: After installation of jumbo hotfix needs to install the below HOTFIX.
Check_Point_R77.30_Log_Exporter_T25_sk122323_FULL.tgz     Link: R77.30 Log Exporter T30 (R77.30) 
R80.10 Log Exporter T41 sk122323     Link: R80.10 Log Exporter T41 (R80.10)
NOTE: Verify the MD5 value 
NOTE: Reboot is required
:- Open the WebUI of Log Server then go to the "Status and Actions"  and import the HOTFIX package then verify and then install the package.
:- Refer sk92449 for HotFix Installation using CPUSE or legacy CLI method.
 
Step 04: Open the CLI of Log Server (CP) server.
 
Below two command required to execute. 
 
1st:   cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server> target-port <target-port> protocol <(udp|tcp)> format <(syslog)|(cef)> [optional arguments] 
 
EXAMPLE : cp_log_export add name ArcSight target-server 192.168.10.6 target-port 514 protocol tcp format syslog 
 
Name:- Any name example: ArcSight
192.168.10.5: Log server (Checkpoint)
 
 
2nd: cp_log_export  <command-name>
EXAMPLE: 
cp_log_export start      <stop / status  / restart >
Step 05:  verify by running tcpdump command.
EXAMLE:-  tcpdump -nni eth0 port '514'
NOTE: Need to configure from SIEM side as well.
NOTE: Jumbo Hotfix may you take the latest one as per the new release, my case I am using take_338
Refer SK: sk122323 for more details.
NOTE: On R80.20  onwards no need to install any additional HotFix, latest jumbo take is enough.
#Chinmaya Naik
3 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events