Re: Log Exporter to SIEM via CEF forwarder

jt-jt · ‎2024-08-15

Hi,

Please can someone enlighten me in the following?
Do the Check Point exported logs (via log exporter) specify which Facility (e.g. Local 7 or else) when going via a CEF forwarder into a SIEM please?

Thanks.

_Val_ · ‎2024-08-15

Hi, just to make sure, did you already review sk122323, specifically its CEF section?

If yes, and you still have questions, please elaborate.

I also encourage you to search this community for other CEF related discussions, there are a quite a few.

jt-jt · ‎2024-08-15

ok, maybe I am asking the wrong question.

Has anyone any experience in setting up the Azure Monitor DCR to work with AMA (on a CEF forwarder) to ingest CP logs into a SIEM?

Due to how the AMA and DCR works it will be great to confirm if the log exporter logs go into a particular syslog facility on the CEF forwarder Linux servers.
I don't think they do from reading the sk, and searches, hence the question.

_Val_ · ‎2024-08-15

So, the question to the community is whether someone already deployed a Log Exporter with Azure Monitor DCR?

PhoneBoy · ‎2024-08-15

He's specifically asking what "facility" that we use when we send logs in syslog format via Log Exporter.
The answer to that is local use 0 (local0).
Should you wish to change it, see: https://support.checkpoint.com/results/sk/sk125253

Are you a member of CheckMates?

Log Exporter to SIEM via CEF forwarder