This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rodrigo_Castell
Contributor
‎2019-10-30 02:36 PM

LogExporter IPS logs to ArcSight CEF

Hello,

 

Is anyone sending logs to ArcSight and is using the IPS blade? 

Im having an issue where these specific logs are not sending the destination address.

This only happens with IPS events, the rest of the blades do send the fields I need.

 

This is on R80.10 latest JHF smartevent and gateways.

 

0 Kudos
5 Replies
Juhyung_Lee
Explorer
‎2019-10-30 09:38 PM

We have same issue.

I opened a SR, but TAC just said to use LEA.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-31 10:09 AM
In response to Juhyung_Lee

Log Exporter is the preferred solution for exporting to a SIEM going forward. If TAC is telling you otherwise, please escalate the ticket.

In this specific case, it sounds like a bug and ensure a Task is filed with R&D. @Dan_Zada 

0 Kudos
Dan_Zada
Employee Alumnus
Employee Alumnus
‎2019-11-03 11:21 PM
In response to PhoneBoy

Hi,

Which reading mode are you using (see SK122323).

If you are using "raw", it might be that you get 2 log fragments, but if you will change it to semi-unified, each time a log fragment will be received to the log server, it will export the full log (all data it had until that point).

 

You can read more about reading-modes in SK122323.

 

Thanks!

Dan.

0 Kudos
Rodrigo_Castell
Contributor
‎2019-11-05 01:25 PM
In response to Dan_Zada

Its all on default settings.

It would seem weird that it doesnt have destination on these particular IPS events. All others work correctly.
0 Kudos
Rodrigo_Castell
Contributor
‎2019-11-05 01:20 PM
In response to PhoneBoy

I should do this as part of the SR?

I did open an SR and escalating team just asked for tcpdumps when I see IPS events, to basically confirm 1 of 2 outcomes:

 

1- ArcSight is doing something and dropping the mapping, which I know it doesnt since raw events are not showing this.

2- Log Exporter on anything below R80.30 doesnt have great support sending/mapping this info easily. Support doesnt really recommend upgrading to R80.30 in critical production environments.

 

 

 

 

 

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events