so our management servers are not exporting logs t...

kb1 · ‎2020-03-05

so how do i go about troubleshooting the process?

PhoneBoy · ‎2020-03-05

There are two completely different methods for doing that: one using LEA and one using Log Exporter.

For LEA, refer to: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
For Log Exporter, refer to the Troubleshooting section of this SK: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

kb1 · ‎2020-03-05

Thank you, ours uses Lea so I'll go through the document above, I'm not too well versed in Integrating siem devices with the checkpoint but I will go through the troubleshooting guide and try my best to find out the issue.

kb1 · ‎2020-03-06

[Expert@FW-MGMT01:0]# tcpdump -neei any port 18184 and host 10.7.x.x tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[Expert@FW-MGMT01:0]# tracert 10.7.x.x
traceroute to 10.7.x.x (10.7.x.x), 30 hops max, 40 byte packets
1 10.7.x.x (10.7.x.x) 0.631 ms 0.759 ms 0.897 ms
2 secopslogrhyp01.flyfrontier.com (10.7.x.x) 0.412 ms 0.420 ms 0.457 ms

[Expert@FW-MGMT01:0]# cpca_client lscert -kind SIC -stat Pending | grep -A 3 LogRhythym

[Expert@FW-MGMT01:0]# grep Spawn_LEA $CPDIR/registry/HKLM_registry.data
:Spawn_LEA ("[4]1")

As you can see from the above outputs, it seems tcpdump shows no traffic no idea what to do next now, tracert shows nothing blocking traffic on the way (only 1 device in between which is not a firewall, probably a router), for certificate pending i ran the command as shown and shows no output (no idea what that means) and as you can see for the grep spawn command it seems lea_spawning is already enabled, now what to do next? do i log into the logrhythym server and restart it or something? (logrhythym server is running on a windows 2016 machine with more than enough storage space(has about 24tb of space) but when i look at the relevant drive which is named as Log which im assuming is the drive used to store the logs it shows 0.98tb free of 0.99tb that means nothing is being logged right? also other drives have most of the space free as well).

PhoneBoy · ‎2020-03-06

What does netstat show in terms of processes with open connections?
What troubleshooting have you done on the LogRhythm side?

Note that you really should use Log Exporter for this.
This is our preferred mechanism for sending logs to a SIEM.
LEA is still supported, but it's considered Legacy.

kb1 · ‎2020-03-06

Hello,

Netstat shows no connections to the logrhythym server, i only see established, close_wait, time_wait, fin_wait2, and then listen states, all listen states are to dest address 0.0.0.0:* and none of those above mentioned connections are to the logrhythym server(ran the command on the primary mgmt server btw), so you asked if i did any troubleshooting on the server side, what sort of troubleshooting should i do?

PhoneBoy · ‎2020-03-06

I believe with LEA it's the SIEM that has to initiate the connection.
So if you see no connection on port 18184 from LogRhythm, you need to troubleshoot on their side.
You will have to contact them for the exact steps as it's their client.

Lari_Luoma · ‎2020-03-06

Log Exporter is the recommended method to export logs. See below.

https://community.checkpoint.com/t5/Logging-and-Reporting/Export-Logs-To-LogRhythm-using-Log-Exporte...

Pre-R80.40 versions need a special hotfix installation in order to support LogRhythm.

kb1 · ‎2020-03-06

That's great, I will look into configuring log exporter later, so is the configuration complicated? Is there a guide for configuring log exporter with LogRhythym? For now I want to fix this issue we are having.

kb1 · ‎2020-03-06

And the hotfix that you mentioned is that for integration with log exporter or is that for the issue I'm having right now?

PhoneBoy · ‎2020-03-06

The hotfix would be required to use Log Exporter with LogRhythm.

Rather than troubleshoot this issue with LEA, you really should take the opportunity to move to Log Exporter.
Log Exporter sends the logs using syslog as opposed to LEA.
Refer to the Log Exporter SK for details: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

kb1 · ‎2020-03-06

ok i did open up a tac case and even he wasnt able to figure out the issue, so sent a bunch of log files and cpinfo so they can look into it, meanwhile i will definitely look into setting up the log ex[porter, just dont know if setting it up will be too complpicated or something, hopefully its doable for me.

PhoneBoy · ‎2020-03-06

It should be easier than configuring LEA.
As I said, you will probably need to contact LogRhythm to help troubleshoot their end as they have to initiate a connect to us in a LEA configuration.

Shay_Hibah · ‎2020-03-10

Hi @kb1

I would be happy to assist you with Log Exporter configuration and integration with LogRhythm.

Can you please send me email to shayhi@checkpoint.com and we will take it offline together?

I would like to understand what step were already taken in Log Exporter aspect.

Regards,

Shay

kb1 · ‎2020-03-10

yes that would be great!!

Are you a member of CheckMates?

so our management servers are not exporting logs to the logrhythym servers