This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Yair_Herling
Employee
Employee
‎2018-07-17 12:40 AM

R80.20 Log Exporter Feature

This video elaborate on Check Point's R80.20 log exporter feature, introducing an easy and secure method for exporting Check Point logs to 3rd party SIEM applications, using various protocols (like TCP or UDP) and formats (like syslog, CEF, or LEEF)

10 Replies
Daniel_
Collaborator
‎2018-08-16 02:14 AM

Splunk also has a Opsec Connection (LEA) to receive the logs. Is there an advantage to use this export feature?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-08-16 07:06 PM

While we will continue to support LEA for the time being, Log Exporter is going to be the recommended method for exporting logs to third party SIEMs going forward.

Don_Paterson
Advisor
‎2018-12-14 07:57 AM

Thanks. Is there an SK for this? Perhaps that and a link to that or to the admin guide with the info about that would  be beneficial in this thread.

Don

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-14 08:39 AM

The official SK: Log Exporter - Check Point Log Export 

The "canonical" thread on CheckMates: Log Exporter guide

Don_Paterson
Advisor
‎2018-12-14 08:43 AM

And so the loop is closed and it's all brought together.

Nice one, thank you Dameon.

Prashant
Participant
‎2019-08-21 10:43 PM

Does log exporter on R80.20 configuration on MLM sends logs with source IP of each configured CLM.

We had this requirement for long and lately few months back R&D suggested that it will be in R80.20.

We recently upgraded to R80.20 though still see MLM ip as source on syslog for all CLM.

We want separate connection with each CLM IP itself.

Pls suggest

0 Kudos
Martin_Valenta
Advisor
‎2019-08-22 02:42 AM
In response to Prashant

It's not in place in r80.20, in our case we send traffic from each CLM via different port to our SIEM and based on port we know from which CLM logs are comming to SIEM.
0 Kudos
Prashant
Participant
‎2019-08-22 03:18 AM
In response to Martin_Valenta

Thanks Martin -

 

I got the idea, though as I checked, if I use TCP as protocol for Syslog, I can see CLM IP as desired but not the case with UDP(though need to check myself).

 

Will update final result. 

0 Kudos
Martin_Valenta
Advisor
‎2019-08-22 03:21 AM
In response to Prashant

It doesn't matter if tcp/udp it's still flows from MLM server ip.
0 Kudos
Prashant
Participant
‎2019-08-22 03:45 AM
In response to Martin_Valenta

I checked it on R80.20 MLM, I could see connection with CLM IP if used with TCP.
0 Kudos