Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ThomasD
Explorer
Jump to solution

Sending Check Point logs via LogExporter to SkyBox

Hello,

I am curious if anyone has successfully sent Check Point logs to SkyBox via the LogExporter tool.  I was able to send the syslogs to the SkyBox server, but apparently SkyBox cannot interpret it correctly due to a date/time format issue.

According to SkyBox, they are expecting the format below from Check Point CMA (Provider-1):

2013-01-06 16:07:55 Local4.Info 10.1.1.1 cma1: 16Sep2012 15:53:54 accept 10.2.2.2 >eth0 rule: 1; rule_uid: {42B0B1D4-73B6-4FEC-97D0-9BBE0AF18742}; service_id: ssh_version_2; src: 192.168.1.1; dst: 10.2.2.2; proto: tcp; product: VPN-1 & FireWall-1; service: 22; s_port: 53753; product_family: Network;

But, this is what SkyBox is receiving from the Provider-1 instead:

Jun  5 04:00:01 XXXXXXXXXX 2019-06-05T07:59:58Z XXXXXXXXXX CheckPoint 9066 - [action:"XXXXXXXXXX"; flags:"XXXXXXXXXX"; ifdir:"XXXXXXXXXX"; ifname:"XXXXXXXXXX"; loguid:"XXXXXXXXXX"; origin:"XXXXXXXXXX"; time:"XXXXXXXXXX"; version:"XXXXXXXXXX"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={XXXXXXXXXX};mgmt=XXXXXXXXXX;date=XXXXXXXXXX;policy_name=XXXXXXXXXX]"; dst:"XXXXXXXXXX"; origin_sic_name:"XXXXXXXXXX,O=XXXXXXXXXX"; product:"XXXXXXXXXX"; proto:"XXXXXXXXXX"; rule:"XXXXXXXXXX"; rule_name:"XXXXXXXXXX"; rule_uid:"{XXXXXXXXXX"; s_port:"XXXXXXXXXX"; service:"XXXXXXXXXX"; src:"XXXXXXXXXX"; ]

 

Thank you in advance for your help/suggestions.

 

Thomas

2 Solutions

Accepted Solutions
Tomer_Sole
Mentor
Mentor

Hi Thomas, I apologize about the mixed messaging. 

Check Point’s Log Exporter is 100% standard output format. If we hadn’t went with the standards, we wouldn’t have been accepted as verified partners of Splunk, Arcsight and AlienVault. 

I reached out to Skybox. The reason why Log Exporter is not officially supported by Skybox is because it is technologically different than LEA. So at the moment, in order to use Skybox, LEA must be accepted. 

Check Point is working with Skybox and the rest of our technology partners in order to increase adoption of Log Exporter. LEA is still supported in all versions, however we encourage everyone to move to Log Exporter for efficiency, standardized formats, and TLS support. 

 

 

View solution in original post

DZ_KB
Collaborator

Hi @All,

For informartion, we have tested R80.30 logExporter with 10.1.303  skybox version and it works fine.

Regards.

n.n

View solution in original post

5 Replies
DeletedUser
Not applicable
Not sure it will matter, but which log exporter format did you choose? Does Skybox have a preference?
ThomasD
Explorer

I was told by the SkyBox team that SkyBox expects "structured syslog format".

0 Kudos
Tomer_Sole
Mentor
Mentor

Hi Thomas, I apologize about the mixed messaging. 

Check Point’s Log Exporter is 100% standard output format. If we hadn’t went with the standards, we wouldn’t have been accepted as verified partners of Splunk, Arcsight and AlienVault. 

I reached out to Skybox. The reason why Log Exporter is not officially supported by Skybox is because it is technologically different than LEA. So at the moment, in order to use Skybox, LEA must be accepted. 

Check Point is working with Skybox and the rest of our technology partners in order to increase adoption of Log Exporter. LEA is still supported in all versions, however we encourage everyone to move to Log Exporter for efficiency, standardized formats, and TLS support. 

 

 

DZ_KB
Collaborator
Hi @Tomer_Sole

We have just open a case to skybox support because LEA opsec doesn't work correctly with huge logs. They recommand us to configure log exporter on our R80.30 MDS.
Our skybox version is 10.1.303.

What do you think about this ?
0 Kudos
DZ_KB
Collaborator

Hi @All,

For informartion, we have tested R80.30 logExporter with 10.1.303  skybox version and it works fine.

Regards.

n.n

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events