This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
dantlitz
Explorer
‎2020-05-04 07:31 AM

LEA vs Log exporter to send to splunk

We are in the process of configuring our CP environment to send logs to a managed Splunk instance.  With that said we are trying to get a definitive answer on the direction to go (LEA / Log Exporter)  Our partner wants to use LEA but it seems like that is old school and will limit us moving forward.  So the questions are:

What is the road map for LEA support?

Is there any benefit of LEA over log exporter?

Is Log Exporter a better alternative and why?

Is there an official Check Point position on the future of these two technologies?

Has anyone else run into this issue and what was your section / Why?? 

 

Thanks in advance

0 Kudos
12 Replies
Tal_Paz-Fridman
Employee
Employee
‎2020-05-04 07:41 AM

I refer you that the following post:

https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-vs-OPSEC-LEA/td-p/65738

 

HTH

 

0 Kudos
Tomer_Noy
Employee
Employee
‎2020-05-04 11:34 PM

For clarity, I want to explicitly emphasize:

Check Point's recommendation for exporting logs is to use LogExporter, not LEA. 

It has better performance, stability and continues to get new features and capabilities.

Specifically for Splunk, it also has much better integration and a very cool Check Point Splunk App with views to better visualize Check Point log data.

0 Kudos
S_E_
Advisor
‎2020-05-05 12:38 AM

hi

...Has anyone else run into this issue and what was your section / Why?? ...

 

We are running log exporter and it really matches our requirements. 

Running multiple instances to multiples destinations works fine. Performance is good. Easy implementation compared to LEA or CPlogToSyslog

Only drawback (perhaps fixed meanwhile) is that the filter origin does not work.

 

Best Regards

0 Kudos
Dror_Aharony
Employee
Employee
‎2020-05-05 12:50 AM
In response to S_E_

Great news (S_E).
Happy to hear you like our new log-Exporter.

 

Origin field filter should work.

Which version/build are you using?

cpvinfo $EXPORTERDIR/log_exporter

cpvinfo $EXPORTERDIR/targets/<your_exporter_name>/log_exporter

 

 

0 Kudos
S_E_
Advisor
‎2020-05-05 01:00 AM
In response to Dror_Aharony

hi,
atached is the version.
Regards

cpvinfo $EXPORTERDIR/log_exporter
** Version info attributes of '/opt/CPrt-R80.30/log_exporter/log_exporter' **

Type = executable
Name = log_indexer
Module Name = log_indexer
Build Number = 993000017
Major Release = NGX
Minor Release = heat_main
Release Number = 5.0.5
Version Name = NGX
Interface Version = 0
Implementation Version = 6
Internal Name = log_indexer
Configuration = linux50/release.static
Comments = NULL
Company Name = Check Point Software Technologies LTD.
Legal Copyright = (c) 2005-2009 Copyright Check Point Software Technologies Ltd

0 Kudos
Dror_Aharony
Employee
Employee
‎2020-05-05 01:03 AM
In response to S_E_

cpinfo -y all (for JHF version) too, please.

 

0 Kudos
S_E_
Advisor
‎2020-05-05 01:05 AM
In response to Dror_Aharony

cpinfo -y all | grep Take

This is Check Point CPinfo Build 914000191 for GAIA
Local host is not a Gateway
HOTFIX_R80_30_JUMBO_HF_MAIN Take: 50
HOTFIX_R80_30_JUMBO_HF_MAIN Take: 50
0 Kudos
Dror_Aharony
Employee
Employee
‎2020-05-05 02:25 AM
In response to S_E_

new Filtering feature for log-exporter is only supported from JHF_t107 onwards on R80.30.

Please install latest R80.30-JHF (t191 currently as of 05.05.20).
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

 

 

from log-exporter sk (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...😞

Filtering: choose what to export based on field values.
(Note: Filtering ability is integrated to Jumbo Hotfix Accumulator for R80.30 since Take_107, and to Jumbo Hotfix Accumulator for R80.20 since Take_103.)

0 Kudos
John_Tomasetti
Participant
‎2020-05-11 09:14 AM
In response to Dror_Aharony

Log exporter works great. One caveat you have to be aware of is that the log exporter configuration seems to be blown away with version upgrades. We have a standalone log server separate from the management station. When we upgraded from R80.20 to R80.30 the log exporter configs were overwritten. Same problem occurs with your SSH configuration. If you want to change the SSH port from something other than 22, the changes you make to /etc/ssh/sshd_config are overwritten.

0 Kudos
Wolfgang
Mentor
Mentor
‎2020-05-11 09:44 AM
In response to John_Tomasetti

It‘s possible to include log exporter config in systembackup following

How to include the configuration of Log Exporter in system backup 

or simple backup the target directory following
How to backup and restore Log Exporter configuration on upgrades to  

I would prefer LogExporter over LEA, less CPU usage, very good filtering options and some really nice integration for a lot of the common log systems.

Wolfgang

0 Kudos
Dan_Zada
Employee Alumnus
Employee Alumnus
‎2020-05-18 05:52 AM
In response to S_E_

Hi,

I will be happy to understand why the origin filter is not working, it should work.

How did you configure it? 

0 Kudos
Dan_Zada
Employee Alumnus
Employee Alumnus
‎2020-05-18 05:54 AM

@dantlitz - Check Point's and also Splunk's recommendation is to use Log Exporter. We also released brand new Splunk application that works with the Log exporter format.
0 Kudos