AnsweredAssumed Answered

Exporting R80.10 logs to Logstash ( ElasticSearch integration)

Question asked by Lukas Nagy on Aug 25, 2017
Latest reply on Aug 25, 2017 by Dameon Welch Abernathy

Hello,

 

we are trying to integrate logs from Check Point Management server into Logstash. We are using opensource tool fw1-loggrabber with support of new OPSEC API (SHA-256) supported. Exporting works, however I couldn't find a proper documentation of the fields that can be found in logs. There is not really a true structure of logs, many line have different fields and those fields are not documentated.

 

Is there a document that show every field that can be exported? I just found an old LEA document, but it is missing a lot of fields. (http://dl3.checkpoint.com/paid/0f/LEA_Fields_2011.pdf?HashKey=1503666450_ebd2eeca265aaca0f531f781169c8948&xtn=.pdf ).

 

Writing rules for matching in Logstash is very difficult, without the knowledge what we can expect. We were following Check Point Firewall Logs and Logstash (ELK) Integration - /dev/random  

 

Thank you for any insight how we can do this better.

Outcomes