This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dan_Zada
Employee Alumnus
Employee Alumnus
‎2019-10-24 12:16 AM

Log Exporter vs OPSEC LEA

Hello all,

Check Point "Log Exporter" is an easy and secured method for exporting Check Point logs in few standard protocols and formats. It supports many SIEM vendors and it has some advanced features.

The Log Exporter main features and advantages are:

  • Very easy configuration - one command to configure export to any destination
  • Secured protocols 
  • Automatic formatting to many standards - CIM, CEF, Syslog, LEEF and more
  • Ability to configure your own formats
  • Built in support in logs filtering - export just what you need
  • Export links to Forensics and Threat Emulation reports 
  • High exporting rate 
  • Official documentation of all exporter logs fields with explanations
  • Official support by many SIEM vendors
    • Check Point app for Splunk
    • Integration with LogRhythm
    • Integration with ArcSight
    • Integration with QRadar

The Log Exporter is our main exporting tool and all new features will be added to it.

While saying that, I know that many of you are still using the old OPSEC LEA and I would like to understand the reasons for that and if there anything we can do to help you move forward to the log exporter.

Please share your thoughts.

 

Thanks!

Dan.

 

0 Kudos
13 Replies
mdjmcnally
Advisor
‎2019-10-24 04:53 AM

Very Interesting that you are listing LogRhythm as an Official Support by them as we have a Customer that has LogRhythm and whilst previously setup a Log Exporter for the 3rd Party that does the LogRhythm then am having to setup an OPSEC LEA for them so that they can work with the logs.

0 Kudos
Dan_Zada
Employee Alumnus
Employee Alumnus
‎2019-10-24 05:16 AM
In response to mdjmcnally

You right.
During the last months we are working with LogRhythm team to have official support with the log exporter.
Stay tuned for more information 🙂
0 Kudos
Dave_Taylor1
Collaborator
‎2019-10-24 07:46 AM

I am currently working to move to Log Exporter instead of OPSEC LEA. I'm hoping Log Exporter provides usable logs within SPLUNK than we are currently getting with OPSEC LEA. I personally find the logs too difficult to read. I rely mostly on Smart Log.

0 Kudos
Dan_Zada
Employee Alumnus
Employee Alumnus
‎2019-10-24 08:32 AM
In response to Dave_Taylor1

Thank you for sharing!
When you say "SmartLog" are you referring to the old product we had in R77.30 or the logging view in R80 platform?

We have great integration between the Log Exporter and Splunk. Just use the splunk format (see SK122323) and deploy the "Check Point app for Splunk" from Splunkbase and you are ready to go.
0 Kudos
Dan_Zada
Employee Alumnus
Employee Alumnus
‎2019-10-27 12:28 AM
In response to Dan_Zada

Hi @HeikoAnkenbrand 

Log Exporter can export more than double logs per second than LEA. It is also utilize better the machine resources.

This was tested in Check Point and also in thousands of customers environments that already deployed the Log Exporter.

Dave_Taylor1
Collaborator
‎2019-10-30 01:01 PM
In response to Dan_Zada

I'm using R80.20. sorry old habits.
My point is that today OPSEC LEA logs in splunk have too much data crammed together. I would much rather use the "Check Point Logging" than SPLUNK.
So does the new export feature provide better readable logs in SPLUNK?
0 Kudos
Dror_Aharony
Employee Alumnus
Employee Alumnus
‎2019-10-31 01:07 AM
In response to Dave_Taylor1

Hey Dave,

If you rather use our Check Point Logs view (new R80.20 SmartLog), why not simply use it, instead of exporting to splunk? (in either method)

What's missing for you?

 

0 Kudos
Martin_Valenta
Advisor
‎2019-10-31 02:09 AM
In response to Dave_Taylor1

We are sending logs to SPlunk via LogExporter and we can filter out a lot of not needed informations. We saved around 20-30% on size of each event, which makes our Splunk admins be more happy..
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-10-24 09:56 AM

Hi @Dan_Zada 

Which of the two processes (LEA service or Log Exporter service) is more performance and resource intensive?

Did you test that at Check Point?

I am thinking here of companies with a lot of log traffic and MDM.

Which of the processes are multi core compatible?

 

 

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Martin_Valenta
Advisor
‎2019-10-31 02:13 AM
In response to HeikoAnkenbrand

I would say that LEA consume more resources, since it's encrypting those logs, which is not happening with LogExporter, it does only mutual authentication, but logs are not send encrypted.
0 Kudos
Tassadar
Explorer
‎2021-01-20 03:35 AM

Hello,

I have a question regarding Log Exporter feature. As I understood it is FORWARDING model rather than PULL model like the legacy OPSEC LEA.

We have MDS/MLM setup.

From time to time our gateways are logging locally (different issue we are looking at for long time already) and we configured them in SmartConsole to send these local log files to logging servers at specified schedule. These files are prefixed with gateway hostname. It seems that Splunk setup with legacy OPSEC LEA (unless some scripting employed) is unable to pull/parse different files than the actual log file on the logging server, so we are missing logs there.

My question is, when such log file is received from the gateway on the logging server and re-indexing is completed (or even before), will they be also automatically forwarded  by Log Exporter to Splunk?

Thank you.

0 Kudos
Sumit
Participant
‎2021-03-11 08:41 PM

Hi,

I started using LEEF over LEA format for QRadar, and I find the push based to be more reliable. However, I cannot see complete logs, especially in IPS "Exploits" logs. I can only see source IP, but not the destination IP, destination port or source port in the logs in my qradar. Is there something I need to fix somewhere to get complete logs. I am using version R81.

Sumit
Participant
‎2021-04-23 08:25 PM
In response to Sumit

In case if anyone is interested, set log type as semi-unified in expert mode, as command below

cp_log_export set name <name> read-mode semi-unified

command to view log exporters:

cp_log_export show

 

If log exporter is created using SmartConsole UI,

1. In Objects > Servers > Log Exporter/SIEM, select the object.

2. Right click on object and select Edit.

3. In Left Pane, select Data Manipulation.

4. Check "Aggregate log updates before export".

5. Publish and Install Policy. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top