Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ThomasD
Explorer

Sending Check Point logs via LogExporter to SkyBox

Jump to solution

Hello,

I am curious if anyone has successfully sent Check Point logs to SkyBox via the LogExporter tool.  I was able to send the syslogs to the SkyBox server, but apparently SkyBox cannot interpret it correctly due to a date/time format issue.

According to SkyBox, they are expecting the format below from Check Point CMA (Provider-1):

2013-01-06 16:07:55 Local4.Info 10.1.1.1 cma1: 16Sep2012 15:53:54 accept 10.2.2.2 >eth0 rule: 1; rule_uid: {42B0B1D4-73B6-4FEC-97D0-9BBE0AF18742}; service_id: ssh_version_2; src: 192.168.1.1; dst: 10.2.2.2; proto: tcp; product: VPN-1 & FireWall-1; service: 22; s_port: 53753; product_family: Network;

But, this is what SkyBox is receiving from the Provider-1 instead:

Jun  5 04:00:01 XXXXXXXXXX 2019-06-05T07:59:58Z XXXXXXXXXX CheckPoint 9066 - [action:"XXXXXXXXXX"; flags:"XXXXXXXXXX"; ifdir:"XXXXXXXXXX"; ifname:"XXXXXXXXXX"; loguid:"XXXXXXXXXX"; origin:"XXXXXXXXXX"; time:"XXXXXXXXXX"; version:"XXXXXXXXXX"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={XXXXXXXXXX};mgmt=XXXXXXXXXX;date=XXXXXXXXXX;policy_name=XXXXXXXXXX]"; dst:"XXXXXXXXXX"; origin_sic_name:"XXXXXXXXXX,O=XXXXXXXXXX"; product:"XXXXXXXXXX"; proto:"XXXXXXXXXX"; rule:"XXXXXXXXXX"; rule_name:"XXXXXXXXXX"; rule_uid:"{XXXXXXXXXX"; s_port:"XXXXXXXXXX"; service:"XXXXXXXXXX"; src:"XXXXXXXXXX"; ]

 

Thank you in advance for your help/suggestions.

 

Thomas

2 Solutions

Accepted Solutions

Hi Thomas, I apologize about the mixed messaging. 

Check Point’s Log Exporter is 100% standard output format. If we hadn’t went with the standards, we wouldn’t have been accepted as verified partners of Splunk, Arcsight and AlienVault. 

I reached out to Skybox. The reason why Log Exporter is not officially supported by Skybox is because it is technologically different than LEA. So at the moment, in order to use Skybox, LEA must be accepted. 

Check Point is working with Skybox and the rest of our technology partners in order to increase adoption of Log Exporter. LEA is still supported in all versions, however we encourage everyone to move to Log Exporter for efficiency, standardized formats, and TLS support. 

 

 

View solution in original post

nabs_nabs
Contributor

Hi @All,

For informartion, we have tested R80.30 logExporter with 10.1.303  skybox version and it works fine.

Regards.

n.n

View solution in original post

5 Replies
Bob_Bent
Mod
Mod
Not sure it will matter, but which log exporter format did you choose? Does Skybox have a preference?
ThomasD
Explorer

I was told by the SkyBox team that SkyBox expects "structured syslog format".

0 Kudos
Reply

Hi Thomas, I apologize about the mixed messaging. 

Check Point’s Log Exporter is 100% standard output format. If we hadn’t went with the standards, we wouldn’t have been accepted as verified partners of Splunk, Arcsight and AlienVault. 

I reached out to Skybox. The reason why Log Exporter is not officially supported by Skybox is because it is technologically different than LEA. So at the moment, in order to use Skybox, LEA must be accepted. 

Check Point is working with Skybox and the rest of our technology partners in order to increase adoption of Log Exporter. LEA is still supported in all versions, however we encourage everyone to move to Log Exporter for efficiency, standardized formats, and TLS support. 

 

 

View solution in original post

nabs_nabs
Contributor
Hi @Tomer_Sole

We have just open a case to skybox support because LEA opsec doesn't work correctly with huge logs. They recommand us to configure log exporter on our R80.30 MDS.
Our skybox version is 10.1.303.

What do you think about this ?
0 Kudos
Reply
nabs_nabs
Contributor

Hi @All,

For informartion, we have tested R80.30 logExporter with 10.1.303  skybox version and it works fine.

Regards.

n.n

View solution in original post