Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
dehaasm
Collaborator

smartevent server log exporter is not sending severity field to Qradar

We have configured the smartevent server with the log exporter object and is sending the data to Qradar. The format is LEEF as expected and inside the default LeefFieldsMapping.xml we see <field><origName><severity</origname> which would replace the value to 0-10 however inside the data capture we dont find any severity field.

Is this not being send by default and how can we include this for the LEEF log exporter to Qradar?

note:in smartconsole we do see the correlated event with proper severity and we also located the event (without severity) in packet capture send to Qradar

0 Kudos
9 Replies
G_W_Albrecht
Legend
Legend

I would suggest to contact TAC to get this working !

CCSE CCTE CCSM SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

<field><origName><severity</origname> looks like a typo?
Maybe add in a > at the end of severity?

0 Kudos
dehaasm
Collaborator

The default xml includes this so I would assume that it would include severity but we cannot locate that inside the pcap data. Also in general smartevents correlated events are being send in LEEF but nothing it actually being "received" at Qradar side which is under review by this vendor. The SMS is already working fine out of the box. At this moment i am focussing on this severity field which needs to be included and yes of course I could engage TAC case for this.

I also left a note here

https://community.checkpoint.com/t5/Management/Log-Exporter-LEEF-Field-Mappings/td-p/48905

<field><origName>severity</origName><dstName>sev</dstName>
<callback>
<name>replace_value</name>
<args>
<arg key="default" value="0"/>
<arg key="0" value="0"/>
<arg key="1" value="2"/>
<arg key="2" value="5"/>
<arg key="3" value="8"/>
<arg key="4" value="10"/>
</args>
</callback>
</field>

0 Kudos
dehaasm
Collaborator

that was probably my typo sorry I mean in this article see below for correct XML content which is not working

0 Kudos
PhoneBoy
Admin
Admin

Suggest a TAC case: https://help.checkpoint.com 

0 Kudos
dehaasm
Collaborator

We got answer from supplier Qradar and they say that the correlated events are send to Qradar with Product Name VPN-1 Power/UTM whereas they would expect it to be VPN-1 Firewall-1 (which does work). Gonna share these details with TAC and probably some fix is needed in the code for it to integrate correctly.

0 Kudos
dehaasm
Collaborator

in dump i see it is formatted like this LEEF:2.0|Check Point|VPN-1 & FireWall-1| and this is not parsed at Qradar side

0 Kudos
PhoneBoy
Admin
Admin

I suggest contacting Qradar to resolve this issue as we are providing the data to them in the correct format.

0 Kudos
dehaasm
Collaborator

Yes you are right events are filtered at their side also to prevent it from overloading, what we want is to only send the Smartevent correlated events to syslog server and now looking into a way to implement automatic reactions with external script. Will open another question about that to define this script with logger action.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events