This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ThomasD
Explorer
‎2019-06-05 10:02 AM
Jump to solution

Sending Check Point logs via LogExporter to SkyBox

Hello,

I am curious if anyone has successfully sent Check Point logs to SkyBox via the LogExporter tool.  I was able to send the syslogs to the SkyBox server, but apparently SkyBox cannot interpret it correctly due to a date/time format issue.

According to SkyBox, they are expecting the format below from Check Point CMA (Provider-1):

2013-01-06 16:07:55 Local4.Info 10.1.1.1 cma1: 16Sep2012 15:53:54 accept 10.2.2.2 >eth0 rule: 1; rule_uid: {42B0B1D4-73B6-4FEC-97D0-9BBE0AF18742}; service_id: ssh_version_2; src: 192.168.1.1; dst: 10.2.2.2; proto: tcp; product: VPN-1 & FireWall-1; service: 22; s_port: 53753; product_family: Network;

But, this is what SkyBox is receiving from the Provider-1 instead:

Jun  5 04:00:01 XXXXXXXXXX 2019-06-05T07:59:58Z XXXXXXXXXX CheckPoint 9066 - [action:"XXXXXXXXXX"; flags:"XXXXXXXXXX"; ifdir:"XXXXXXXXXX"; ifname:"XXXXXXXXXX"; loguid:"XXXXXXXXXX"; origin:"XXXXXXXXXX"; time:"XXXXXXXXXX"; version:"XXXXXXXXXX"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={XXXXXXXXXX};mgmt=XXXXXXXXXX;date=XXXXXXXXXX;policy_name=XXXXXXXXXX]"; dst:"XXXXXXXXXX"; origin_sic_name:"XXXXXXXXXX,O=XXXXXXXXXX"; product:"XXXXXXXXXX"; proto:"XXXXXXXXXX"; rule:"XXXXXXXXXX"; rule_name:"XXXXXXXXXX"; rule_uid:"{XXXXXXXXXX"; s_port:"XXXXXXXXXX"; service:"XXXXXXXXXX"; src:"XXXXXXXXXX"; ]

 

Thank you in advance for your help/suggestions.

 

Thomas

2 Solutions

Accepted Solutions
Tomer_Sole
Mentor
Mentor
‎2019-06-20 05:10 AM
In response to ThomasD
Jump to solution

Hi Thomas, I apologize about the mixed messaging. 

Check Point’s Log Exporter is 100% standard output format. If we hadn’t went with the standards, we wouldn’t have been accepted as verified partners of Splunk, Arcsight and AlienVault. 

I reached out to Skybox. The reason why Log Exporter is not officially supported by Skybox is because it is technologically different than LEA. So at the moment, in order to use Skybox, LEA must be accepted. 

Check Point is working with Skybox and the rest of our technology partners in order to increase adoption of Log Exporter. LEA is still supported in all versions, however we encourage everyone to move to Log Exporter for efficiency, standardized formats, and TLS support. 

 

 

View solution in original post

DZ_KB
Collaborator
‎2020-07-29 12:34 AM
In response to DZ_KB
Jump to solution

Hi @All,

For informartion, we have tested R80.30 logExporter with 10.1.303  skybox version and it works fine.

Regards.

n.n

View solution in original post

5 Replies
DeletedUser
Not applicable
‎2019-06-05 01:41 PM
Jump to solution

Not sure it will matter, but which log exporter format did you choose? Does Skybox have a preference?
ThomasD
Explorer
‎2019-06-05 01:44 PM
In response to DeletedUser
Jump to solution

I was told by the SkyBox team that SkyBox expects "structured syslog format".

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2019-06-20 05:10 AM
In response to ThomasD
Jump to solution

Hi Thomas, I apologize about the mixed messaging. 

Check Point’s Log Exporter is 100% standard output format. If we hadn’t went with the standards, we wouldn’t have been accepted as verified partners of Splunk, Arcsight and AlienVault. 

I reached out to Skybox. The reason why Log Exporter is not officially supported by Skybox is because it is technologically different than LEA. So at the moment, in order to use Skybox, LEA must be accepted. 

Check Point is working with Skybox and the rest of our technology partners in order to increase adoption of Log Exporter. LEA is still supported in all versions, however we encourage everyone to move to Log Exporter for efficiency, standardized formats, and TLS support. 

 

 

DZ_KB
Collaborator
‎2020-06-11 09:18 AM
In response to Tomer_Sole
Jump to solution

Hi @Tomer_Sole

We have just open a case to skybox support because LEA opsec doesn't work correctly with huge logs. They recommand us to configure log exporter on our R80.30 MDS.
Our skybox version is 10.1.303.

What do you think about this ?
0 Kudos
DZ_KB
Collaborator
‎2020-07-29 12:34 AM
In response to DZ_KB
Jump to solution

Hi @All,

For informartion, we have tested R80.30 logExporter with 10.1.303  skybox version and it works fine.

Regards.

n.n

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events