- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix!
All Videos In One Space
We are in the process of configuring our CP environment to send logs to a managed Splunk instance. With that said we are trying to get a definitive answer on the direction to go (LEA / Log Exporter) Our partner wants to use LEA but it seems like that is old school and will limit us moving forward. So the questions are:
What is the road map for LEA support?
Is there any benefit of LEA over log exporter?
Is Log Exporter a better alternative and why?
Is there an official Check Point position on the future of these two technologies?
Has anyone else run into this issue and what was your section / Why??
Thanks in advance
I refer you that the following post:
https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-vs-OPSEC-LEA/td-p/65738
HTH
For clarity, I want to explicitly emphasize:
Check Point's recommendation for exporting logs is to use LogExporter, not LEA.
It has better performance, stability and continues to get new features and capabilities.
Specifically for Splunk, it also has much better integration and a very cool Check Point Splunk App with views to better visualize Check Point log data.
hi
...Has anyone else run into this issue and what was your section / Why?? ...
We are running log exporter and it really matches our requirements.
Running multiple instances to multiples destinations works fine. Performance is good. Easy implementation compared to LEA or CPlogToSyslog
Only drawback (perhaps fixed meanwhile) is that the filter origin does not work.
Best Regards
Great news (S_E).
Happy to hear you like our new log-Exporter.
Origin field filter should work.
Which version/build are you using?
cpvinfo $EXPORTERDIR/log_exporter
cpvinfo $EXPORTERDIR/targets/<your_exporter_name>/log_exporter
cpinfo -y all (for JHF version) too, please.
new Filtering feature for log-exporter is only supported from JHF_t107 onwards on R80.30.
Please install latest R80.30-JHF (t191 currently as of 05.05.20).
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
from log-exporter sk (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...😞
Filtering: choose what to export based on field values.
(Note: Filtering ability is integrated to Jumbo Hotfix Accumulator for R80.30 since Take_107, and to Jumbo Hotfix Accumulator for R80.20 since Take_103.)
Log exporter works great. One caveat you have to be aware of is that the log exporter configuration seems to be blown away with version upgrades. We have a standalone log server separate from the management station. When we upgraded from R80.20 to R80.30 the log exporter configs were overwritten. Same problem occurs with your SSH configuration. If you want to change the SSH port from something other than 22, the changes you make to /etc/ssh/sshd_config are overwritten.
It‘s possible to include log exporter config in systembackup following
How to include the configuration of Log Exporter in system backup
or simple backup the target directory following
How to backup and restore Log Exporter configuration on upgrades to
I would prefer LogExporter over LEA, less CPU usage, very good filtering options and some really nice integration for a lot of the common log systems.
Wolfgang
Hi,
I will be happy to understand why the origin filter is not working, it should work.
How did you configure it?
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY