Create a Post
Showing results for 
Search instead for 
Did you mean: 

Unable to connect to McAfee SIEM via LEA after upgrade to R80.20

Hi Folks,

I just migrated Smart-1 appliance from R77.30 to R80.20 however after migration observed that SIEM servers could not pickup the logs via LEA. Any help is greatly appreciated.


6 Replies

It is possible you'll need to destroy and recreate the connection on the SIEM side.  We've had to do that in the past.

You're on 80.20 so you've got the log exporter stuff built in now.  So why not just Syslog everything?  Check out sk122323.

Here's the cheat sheet (you'd need to run this command on every CMA):

cp_log_export add name McAfee-SIEM domain-server <domainX> target-server target-port 514 protocol udp format syslog

You'll be prompted to restart the exporter and BAM.  Syslog.

We've been very successful with this method on 80.10.




This is probably related to the deprecation of the SHA1 algorithm that was used with older ICA certificates.  As Tommy said recreating the LEA integration will generate a new certificate using SHA256, hopefully your SIEM servers have updated their OPSEC SDK libraries to support it.  You might wind up needing to upgrade your SIEM to obtain this support if you are running older code.


"Max Capture: Know Your Packets" Video Series
now available at
0 Kudos

 This is ESM 10.5 McAfee; dont think this is using SHA1 cert.

Any way will ask the vendor about that as well.

0 Kudos

There's a reason we flag OPSEC objects in the R80.x pre-upgrade verifier.

Hi @Blason_R,

As @PhoneBoy described it. You should have received a warning when upgrading to R80.20.

I had the same problem with other products.


1) Remove  the OPSEC objet in the policy
2) Delete the OPSEC LEA object
3) Install the database on management server
4) Create a new OPSEC LEA object (now this object use SHA256:-)
5) Add the new OPSEC object to the policy
6) Creat the SIC between SIME and management server
7) Install the database on the management server


I would use the Log Exporter as @Tommy_Forrest  described it. I often use it with RSA Envision or LogRhythm.

Log Exporter supports:

  • Splunk
  • Arcsight
  • RSA
  • LogRhythm
  • QRadar
  • McAfee

More read here "R80.10 Syslog Exporter" or see sk122323: Log Exporter - Check Point Log Export

0 Kudos

Yep, I am completely aware of the log_export feature and this is what I suggested to McAfee vendor but I feel he is not aware how to set up listener for CheckPoint in McAfee neither I am SME in McAfee ESM.



0 Kudos