Re: Log Exporter Checkpoint R80.40

LostBoY · ‎2020-07-28

Hello,

I want to integrate my Checkpoint instance to DataDog.. i am wondering what is the best way to do so.. should i just configure a syslog server , forward all Checkpoint logs to that syslog and integrate that syslog server with datadog.

Additionally, i also came across "Log Exporter" feature in Checkpoint but i didnt get it completely. Does log exporter enables integration directly with SIEM tools ? do i need to install any additional plugins on the GWs for it to function.

PredragPetrovic · ‎2020-07-28

Hi,

There are many approaches that you can do to achieve this. So far I've used a syslog server to export logs and then ship them to the right platform (e.g. Azure Log Analytics), and in some cases I have used OPSEC integration with some vendors and systems. In essence it boils down to your preference, needs and specifications.

Cheers,

Predrag

LostBoY · ‎2020-07-28

Thanks for the reply... so it means i should export the logs to a syslog server... then add that syslog server to the SIEM Also, there is an option to create a syslog server in SmartConsole via New Object -Server and so on.. is it one and the same thing.

PredragPetrovic · ‎2020-07-28

As I have said there are multiple ways to do this. What is the most logical way its up to you... When using cp_log_export tool after adding the log export just restart the added export and it will start exporting the logs. Ensure that necessary ports are open (e.g. Azure NSG's or AWS SecurityGroups where the Syslog is located).

cp_log_export add name to_RemoteServer target-server X.X.X.X target-port 514 protocol udp format syslog

cp_log_export restart name to_RemoteServer

After what you do from the syslog its up to you and DataDog agent 🙂

LostBoY · ‎2020-07-28

Thanks, i have configured log exporter like this.. however, at the syslog server i can just see the process id and management server hostname displayed but no connection logs.. do i need to enable any thing else vis log exporter commands.

Thanks

Gomboragchaa · ‎2020-07-28

Hi @LostBoY ,

I would suggest to use Log Exporter. It is really easy to configure and you can use filter as well.

If you use the Log Exporter, the remote SIEM tool will be recieve logs through syslog. You don't need to install any other plugins.

Please find sk122323 .

LostBoY · ‎2020-07-28

Thanks for the reply.. so if i understand this correctly i need to use log exporter to send all the logs from Mgmt Server to a syslog server... i can then add that syslog server to the SIEM tool ?

LostBoY · ‎2020-07-28

Alright so i configured a log exporter in Mgmt Server.. the syslog server is in the same vlan as that of MGMT Server. I can see the process running via commands - cp_log_export status cp_log_export server However, at the syslog server end no logs are visible it is just showing the Mgmt Firewall hostname and the process id.. am i missing something here ? Thanks

gdobson · ‎2021-03-01

Hi,

did you ever solve this - I get exactly the same (R80.40) - my syslog server just receives Time/Log Server/PID - nothing useful!!

Thanks

Graham

Sven · ‎2021-03-18

Hi,

i have updated my firewall to 80.40 and as i read the log_exporter is integrated. But via ssh i can't set the command cp_log_export because of invalid command .

Can someone help me please ?

Thx.

Sven

genisis__ · ‎2021-08-05

did you run cp_log_export from expert mode? This should work.

LostBoY · ‎2021-04-14

no unfortunately i didnt get any resolution for this.. i end up exporting logs from individual gateways but it doest not serve the purpose..i guess it does not include any audit logs or deny logs

LostBoY · ‎2021-08-05

were you able to fix this ?

genisis__ · ‎2021-08-05

On R81 Log exporter basic settings can now be configured within the management object.

Are you a member of CheckMates?

Log Exporter Checkpoint R80.40