Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tiago_Marques
Participant

Log Exporter Integration with GrayLog

Hi Masters,

 

    please, I have one customer requesting the integration between R80.20 Security Mangement and Smart Event Server with his GrayLog (https://www.graylog.org/) , actually it is working with GELF format.

    Reading the CP LogExporter Guide, I did not find the support to GrayLog or GELF (http://docs.graylog.org/en/2.5/pages/gelf.html)  log file format.

    Please, does someone integrated CP Security Management/SmartEvent with Graylog with CP LogExporter or other tool ?

 

Sincerely.

Tiago Marques.

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

I have not heard about GrayLog previously. Does it only support GELF format or does it support other formats?

0 Kudos
Tiago_Marques
Participant

Hi PhoneBoy!!!

   The customer's GrayLog version support other formats too.

   Talking with him, he will execute a lab with a CEF, for it, he will install the GrayLog Plugin to support CEF from (https://marketplace.graylog.org/addons/b2c55194-a76e-4fd7-89fd-5421188bf33f) and follow up me.

    Please, do you know some url that describes all fields of the log file ?

 

Sincerely.

Tiago Marques.

0 Kudos

Not all of the fields have been defined. Here’s a list of the raw Check Point threat prevention fields from sk134634.

https://community.checkpoint.com/t5/Logging-and-Reporting/Threat-Prevention-Log-Field-Documentation/...

 

Remember one of the benefits of Log Exporter is that it maps Check Point fields to different formats so if the SIEM consumes CEF, LEEF or CIM then you may want to use one of these Log Exporter formats. For instance.

https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-CEF-Field-Mappings/m-p/41060

 

You can ask to add GELF support as an RFE. 

https://www.checkpoint.com/rfe/rfe.htm 

MK9
Contributor

If it is still relevant, you can exports log with a Splunk format to graylog and configure pipeline:

Pipeline Stages:

Stage 0:


########################
#
# extract fields (format: Splunk)
#
rule "cp_extract_fields"
when
has_field("message")
then
let msg = to_string($message.message);
set_fields(key_value(
value: msg,
delimiters: "|",
kv_delimiters: "="
));

end

 

Stage 1 (optional):

########################
#
# dns lookup field(src) for local addresses and set_field src_dns_ptr
#
rule "cp_dns_lookup_src"
when
has_field("src") AND
is_ip(to_ip($message.src)) == true AND
(cidr_match("10.0.0.0/8", to_ip($message.src)) OR cidr_match("192.168.0.0/16", to_ip($message.src)) OR cidr_match("172.16.0.0/12", to_ip($message.src)))
//has_field("src")
then
let src_dns_ptr = lookup_value("cp-dns-ptr", $message.src, "debug");
set_field("src_dns_ptr", src_dns_ptr);
end

########################
#
# dns lookup field(dst) for local addresses and set_field dst_dns_ptr
#
rule "cp_dns_lookup_dst"
when
has_field("dst") AND
is_ip(to_ip($message.dst)) == true AND
(cidr_match("10.0.0.0/8", to_ip($message.dst)) OR cidr_match("192.168.0.0/16", to_ip($message.dst)) OR cidr_match("172.16.0.0/12", to_ip($message.dst)))
//has_field("dst")
then
let dst_dns_ptr = lookup_value("cp-dns-ptr", $message.dst, "debug");
set_field("dst_dns_ptr", dst_dns_ptr);
end

########################
#
# set_field direction="external_conns" if src ip not local
#
rule "cp_check_external_conns"
when
has_field("src") AND
is_ip(to_ip($message.src)) == true AND NOT
(cidr_match("10.0.0.0/8", to_ip($message.src)) OR cidr_match("192.168.0.0/16", to_ip($message.src)) OR cidr_match("172.16.0.0/12", to_ip($message.src)) OR cidr_match("0.0.0.0/32", to_ip($message.src)))
//has_field("src")
then
//let src_dns_ptr = lookup_value("cp-dns-ptr", $message.src, "debug");
set_field("direction", "external_conns");
end

########################
#
# convert time and set_field time_converted
#
rule "cp_convert_field_time"
when
has_field("time")
then
let time_converted = parse_unix_milliseconds(to_long(concat(to_string($message.time), "000")), "Europe/Moscow")
;
set_field("time_converted", time_converted);
end

########################
#
# set_field rule_name="not_defined" if missed rule_name
#
rule "cp_blank_rule_name"
when
has_field("rule") AND NOT has_field("rule_name")
//has_field("src")
then
set_field("rule_name", "not_defined");
end

0 Kudos