Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
bkchng
Explorer

R80.30 - Sending logs via BOTH OPSEC LEA and to Splunk (via log exporter)?

Does Check Point R80.30 support sending firewall traffic logs out via BOTH OPSEC LEA (to another 3rd party server) and to Splunk (via log exporter)?

I'm working on a setup (single CP R80.30) where the user is currently sending traffic logs to Splunk, but also wants the 3rd party server to be able to pull these same traffic logs. But we can't seem to see these traffic logs in the external server, even though:

- the FW rules have logging enabled

- OPSEC certificate setup successfully, with trust established

- local logging enabled

 

So just wanted to confirm that what I mentioned in my initial question was technically possible first - perhaps I might have missed something in the configuration.

 

Thank you!

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Why are you using OPSEC LEA and not Log Exporter for the other SIEM?
While we haven’t formally deprecated LEA, our focus for third party integrations with SIEMs is Log Exporter.
In LEA the message to send logs actually comes from the LEA client.
Which means you will need to work with the SIEM vendor to understand if you’ve configured things correctly and to troubleshoot why logs aren’t flowing.

As to whether both will work at the same time: not sure.
However I have not heard of it being a specific limitation.

0 Kudos
bkchng
Explorer

Thank you so much for your quick reply. The reason why I'm using OPSEC LEA (in addition to exporting to Splunk) is to accommodate the limitations of that 3rd party solution, which is only able to take in logs via OPSEC LEA.

I do have one question - I do understand that the LEA client is the one that initiates the LEA connection via TCP/18184. However, once that connection is established, isn't CP the one that actually initiates the sending of things like change events, traffic logs, as they happen? If I'm wrong about this, happy to be corrected so that I have the correct understanding.

 

Thanks.

0 Kudos
abihsot__
Advisor

no, LEA method is to pull, log exporter is to push.

I have been running both methods at the same time during migration (LEA -> log exporter) and it worked fine.

0 Kudos
PhoneBoy
Admin
Admin

Ultimately, what happens is the client opens the OPSEC session and processes requests that come from the server.
The client ultimately controls the flow, though, as it can say to stop sending logs.
From the OPSEC SDK documentation:

Screen Shot 2021-02-04 at 9.27.55 AM.png

0 Kudos