This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Lucas_Planchere
Explorer
‎2019-07-02 04:58 AM

OPSEC lea missing log information

Jump to solution

Ho all,

 

We are using opsec lea to send logs to our SIEM and it is working fine, but we are missing some valuable information in the logs sent this way. For example we don't have the log information for the reason of a block, or the rule that trigger the log. Those logs are visible on the checkpoint interface but apparently opsec lea do not forward them.

Anybody knows if we can forward those information as well ?

I know that we should now use the log exporter instead of opsec lea, but our siem do not support it yet..

 

Thanks !

 

Reply
2 Solutions

Accepted Solutions
Dorit_Dor
Employee++
Employee++
‎2019-10-11 06:11 AM
In response to Amir_Rehman

Jump to solution

1. Logrytm - we recently released a version of log exporter that support them 

2. w log exporter we export all logs.
Some siem tools can get only leverage limited types of logs (logrythm) but most siem get all logs.
Opsec lea is also generic api and it can integrate all logs and the implementation is dependent on connector (depending on who wrote the connector) 

3. There is no good reason to use opsec lea anymore. Ttbomk log exporter is better in every way (and still like stated above, lea is still supported) 

View solution in original post

Reply
HeikoAnkenbrand
Champion
Champion
‎2019-10-11 06:15 AM

Jump to solution

Check Point supports the Syslog exporter for SIEM applications for R80.10+ managment.

Which allows an easy and secure method for exporting CP logs over syslog. Exporting can be done in few standard protocols and formats.

Log Exporter supports:

  • Splunk
  • Arcsight
  • RSA
  • LogRhythm
  • QRadar
  • McAfee

Log Exporter is a multi-threaded daemon service, running on a log server. Each log that is written on the log server is read by the log exporter daemon, transformed into the desired format and mapping, and then sent to the end target.

View solution in original post

Reply
7 Replies
PhoneBoy
Admin
Admin
‎2019-07-02 05:13 PM

Jump to solution
While I do not know for certain, it could be that the information is forwarded via LEA but your SIEM doesn't process said data.
What SIEM are you using?

While we are not eliminating support for LEA anytime soon, Log Exporter is our preferred mechanism for integrating with SIEMs going forward.
0 Kudos
Reply
Lucas_Planchere
Explorer
‎2019-07-02 10:42 PM
In response to PhoneBoy

Jump to solution

Hello,

Thanks for the answer.

I'm using logrhythm, I think  you are right the problem is on the siem side, I found few article where it works for splunk.. I also found that those field like the web filtering are available through opsec lea.

I will continue my researche on the logrhythm side.

Thanks !

0 Kudos
Reply
Amir_Rehman
Contributor
‎2019-10-11 05:39 AM
In response to Lucas_Planchere

Jump to solution

Hi,

I Just wanted to know what logs(blades) are exported to SIEM via LEA opsec. 

I don't seem to get remote vpn logs . I am using FortiSIEM.

Thanks

0 Kudos
Reply
Dorit_Dor
Employee++
Employee++
‎2019-10-11 06:11 AM
In response to Amir_Rehman

Jump to solution

1. Logrytm - we recently released a version of log exporter that support them 

2. w log exporter we export all logs.
Some siem tools can get only leverage limited types of logs (logrythm) but most siem get all logs.
Opsec lea is also generic api and it can integrate all logs and the implementation is dependent on connector (depending on who wrote the connector) 

3. There is no good reason to use opsec lea anymore. Ttbomk log exporter is better in every way (and still like stated above, lea is still supported) 

View solution in original post

Reply
HeikoAnkenbrand
Champion
Champion
‎2019-10-11 06:15 AM

Jump to solution

Check Point supports the Syslog exporter for SIEM applications for R80.10+ managment.

Which allows an easy and secure method for exporting CP logs over syslog. Exporting can be done in few standard protocols and formats.

Log Exporter supports:

  • Splunk
  • Arcsight
  • RSA
  • LogRhythm
  • QRadar
  • McAfee

Log Exporter is a multi-threaded daemon service, running on a log server. Each log that is written on the log server is read by the log exporter daemon, transformed into the desired format and mapping, and then sent to the end target.

View solution in original post

Reply
HeikoAnkenbrand
Champion
Champion
‎2019-10-11 06:17 AM
In response to HeikoAnkenbrand

Jump to solution

More read here:

R80.10 - Syslog Exporter

Reply
Amir_Rehman
Contributor
‎2019-10-11 06:25 AM
In response to HeikoAnkenbrand

Jump to solution

Thank you, however I tried log exporter but I could not get all the logs in FortiSIEM. All i see is firewall logs "deny and accepted connection".

With LEA, I see get more logs in FortSIEM .i.e Identity logging, Firewall accept/deny, policy installation and object modification, Ssh logins to management server, Ips logs etc. But Cannot see remote VPN logs.

Reply