This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Marius_Iversen
Explorer
‎2018-06-12 10:07 AM

Long term plan for Log Exporter SIEM integration

So with Log Exporter now supporting formats for Splunk, ArcSight and so on, i just wondered if these formats have any formal agreement with vendors that these will be kept up to date.

Taking ArcSight(MicroFocus) as an example, there is several patterns seen with other vendor integration that they kind of get "lost over time". Checkpoints long term roadmap might offer new blades, or changes to their log format, and the Log Exporter might not always be kept up to date.

I am not looking for any official confirmation that i can quote on, it's just out of curiosity and it is good to keep in the back off my head, as our ArcSight integration with CP will grow larger and larger over time.

Do you feel that it is up to the vendor then to keep this up to date, or the SIEM vendor itself?

Labels
2 Replies
PhoneBoy
Admin
Admin
‎2018-06-12 11:25 AM

My personal take is that it requires support on both ends:

  • Check Point exporting the needed data
  • SIEM vendor properly parsing the data sent

Moving away from LEA to industry-standard syslog simplifies things, particularly for the SIEM vendor.

Marius_Iversen
Explorer
‎2018-06-12 01:49 PM
In response to PhoneBoy

Yeah but in this case, as many others, it is actually the vendor that exports in the format supported by ArcSight. So if new solutions is not added to this export, or keeps the export in the correct format, it will be harder to support.

The other way around was if/when Checkpoints sends in pure syslog, then it is the SIEM's responsibility to keep the parsers up to date.

I feel that when Checkpoint decides to support the SIEM format from the start of the export chain, then it should still be MF's job to pick up that it has stopped working. Smiley Happy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events