This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Lucas_Planchere
Explorer
‎2019-07-02 04:58 AM
Jump to solution

OPSEC lea missing log information

Ho all,

 

We are using opsec lea to send logs to our SIEM and it is working fine, but we are missing some valuable information in the logs sent this way. For example we don't have the log information for the reason of a block, or the rule that trigger the log. Those logs are visible on the checkpoint interface but apparently opsec lea do not forward them.

Anybody knows if we can forward those information as well ?

I know that we should now use the log exporter instead of opsec lea, but our siem do not support it yet..

 

Thanks !

 

2 Solutions

Accepted Solutions
Dorit_Dor
Employee
Employee
‎2019-10-11 06:11 AM
In response to Amir_Rehman
Jump to solution

1. Logrytm - we recently released a version of log exporter that support them 

2. w log exporter we export all logs.
Some siem tools can get only leverage limited types of logs (logrythm) but most siem get all logs.
Opsec lea is also generic api and it can integrate all logs and the implementation is dependent on connector (depending on who wrote the connector) 

3. There is no good reason to use opsec lea anymore. Ttbomk log exporter is better in every way (and still like stated above, lea is still supported) 

View solution in original post

HeikoAnkenbrand
MVP Diamond
MVP Diamond
‎2019-10-11 06:15 AM
Jump to solution

Check Point supports the Syslog exporter for SIEM applications for R80.10+ managment.

Which allows an easy and secure method for exporting CP logs over syslog. Exporting can be done in few standard protocols and formats.

Log Exporter supports:

  • Splunk
  • Arcsight
  • RSA
  • LogRhythm
  • QRadar
  • McAfee

Log Exporter is a multi-threaded daemon service, running on a log server. Each log that is written on the log server is read by the log exporter daemon, transformed into the desired format and mapping, and then sent to the end target.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
‎2019-07-02 05:13 PM
Jump to solution

While I do not know for certain, it could be that the information is forwarded via LEA but your SIEM doesn't process said data.
What SIEM are you using?

While we are not eliminating support for LEA anytime soon, Log Exporter is our preferred mechanism for integrating with SIEMs going forward.
0 Kudos
Lucas_Planchere
Explorer
‎2019-07-02 10:42 PM
In response to PhoneBoy
Jump to solution

Hello,

Thanks for the answer.

I'm using logrhythm, I think  you are right the problem is on the siem side, I found few article where it works for splunk.. I also found that those field like the web filtering are available through opsec lea.

I will continue my researche on the logrhythm side.

Thanks !

0 Kudos
Amir_Rehman
Contributor
‎2019-10-11 05:39 AM
In response to Lucas_Planchere
Jump to solution

Hi,

I Just wanted to know what logs(blades) are exported to SIEM via LEA opsec. 

I don't seem to get remote vpn logs . I am using FortiSIEM.

Thanks

0 Kudos
Dorit_Dor
Employee
Employee
‎2019-10-11 06:11 AM
In response to Amir_Rehman
Jump to solution

1. Logrytm - we recently released a version of log exporter that support them 

2. w log exporter we export all logs.
Some siem tools can get only leverage limited types of logs (logrythm) but most siem get all logs.
Opsec lea is also generic api and it can integrate all logs and the implementation is dependent on connector (depending on who wrote the connector) 

3. There is no good reason to use opsec lea anymore. Ttbomk log exporter is better in every way (and still like stated above, lea is still supported) 

HeikoAnkenbrand
MVP Diamond
MVP Diamond
‎2019-10-11 06:15 AM
Jump to solution

Check Point supports the Syslog exporter for SIEM applications for R80.10+ managment.

Which allows an easy and secure method for exporting CP logs over syslog. Exporting can be done in few standard protocols and formats.

Log Exporter supports:

  • Splunk
  • Arcsight
  • RSA
  • LogRhythm
  • QRadar
  • McAfee

Log Exporter is a multi-threaded daemon service, running on a log server. Each log that is written on the log server is read by the log exporter daemon, transformed into the desired format and mapping, and then sent to the end target.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
MVP Diamond
MVP Diamond
‎2019-10-11 06:17 AM
In response to HeikoAnkenbrand
Jump to solution

More read here:

R80.10 - Syslog Exporter

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Amir_Rehman
Contributor
‎2019-10-11 06:25 AM
In response to HeikoAnkenbrand
Jump to solution

Thank you, however I tried log exporter but I could not get all the logs in FortiSIEM. All i see is firewall logs "deny and accepted connection".

With LEA, I see get more logs in FortSIEM .i.e Identity logging, Firewall accept/deny, policy installation and object modification, Ssh logins to management server, Ips logs etc. But Cannot see remote VPN logs.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events