Yes, I studied this sk, only security and audit logs are sent, it turns out that they do not contain administration data and cannot be sent to siem in any way?

@Arturxr please explain "administration data", maybe with an example which information do you need to send to the SIEM.

If you change something in the rulebase or change objects, these changes are collected in the audit log.

In SIEM, it is necessary to transfer information on changing objects (rules, hosts, subnets, etc.)
This information comes through OPSEC, but can it be configured through the Log Exporter?

@Arturxr as I wrote in my post, this information"changing objects (rules, hosts, subnets, etc." is logged in the audit logs of  your SMS and it's possible to send them to SIEM . Have a look at the audit log view in Smartconsole, every information shown there can be send to SIEM. There is no need for the use of the OPSEC interface, LogExporter does this. 

I understand correctly? is it set up here?

Yes, that's correct. If you want to send audit logs only you have to do advanced configuration and change the configuration xml file. Change <log_types> all </log_types> to  <log_types> audit </log_types>.

Thanks, where can I find this xml file?

Everything you need is found here, please read this.

 Log Exporter - Check Point Log Export 

The Log Exporter configuration for the target server is saved in:
$EXPORTERDIR/targets/<Name of Log Exporter Configuration>/targetConfiguration.xml

Hello @Wolfgang

Is it possible to integrate a Check Point MDS against a Wazuh SIEM?

The configuration to send the logs to the SIEM (if Wazuh is supported) must be done in the main MDS or is it done in all the CMA (1x1)?

Thanks

@Matlu you can do an export from only some CMAs or for all, it depends on your needs. 

But you can do it for all, see the documentation Deployment of Log Exporter in CLI

• The "domain-server" argument is mandatory on a Multi-Domain Security Management Server / Multi-Domain Log Server.

  • mds (in small letters) - Exports logs from only the MDS level.

  • all (in small letters) - Exports logs from all Domains.

I'm not familiar with export to Wazuh but it should work. You have to play something with the fields of the export.

@Wolfgang,

For a company using Splunk as their SIEM solution, does selecting the format "Splunk" in the "Data Manipulation" page of the Log Exporter provide any major benefits over selecting "Syslog"?

What could be the advantages and disadvantages of selecting the format "Splunk"?

@jimmyjose2980  if you export your data directly to Splunk you have to choose Splunk, if you export to a syslog server you choose syslog. With the correct data manipulation you get the correct mapping from Check Point fields to Splunk fields  in the data format. You can configure your own mapping for every data fields, but Check Point did this job and default profiles for the most common SIEM solutions are ready to use.

@Wolfgang, thank you for your response!

From what I understand from the documentation is that regardless of whether I choose "Syslog" or "Splunk" as the log format in Log Exporter, I can either select TCP or UDP protocol. Is there a way I could configure HTTPS to encrypt the packets from Check Point to Syslog or Splunk?

@jimmyjose2980 see Log Exporter TLS Configuration and Log Exporter Instructions for Specific SIEM

@Wolfgang, thanks! This will help me set up TLS configuration if I use the "Syslog" log format in "Data Manipulation". However, this configuration does not seem to support TLS configuration if I chose "Splunk" as the log format. What is your take on it?

Great, thank you @Wolfgang!