Hi,
I have a question regarding collecting logs from Check Point to ArcSight (SIEM) for version R80 and R80.10.
The LEA connection doesn't work very well anymore, also the workaround to degrade the certificate to SHA1 and than configure the connection doesn't always work because the CRL is signed with SHA2.
We now use CPlogtoSyslog for R80 and R80.10. unfortunately there is no parser to correct interpret the log files. So we wrote a custom parser for R80 but in R80.10 the log format is completely changed again.
I can't imagine that there is no one else with this problem. Does anyone have a parser or a other smart solution to tackle this problem?
Please let me know!
Best Regards,
Maarten Lutterman
I think that Check Point should designate some internal resources to creation of parsers for dominant SIEM systems.
Same situation is encountered with Alert Logic. They are parsing Windows and Cisco logs using pre-built parsers but CPlog to Syslog output is, for the moment, a raw text.
Since there was a mention of native Syslog support coming back in later releases, (it was only briefly supported in R77.30), that pretty much means that the format will change again.
This situation is causing some frustration with clients that are increasingly required to utilize SIEM services.