AnsweredAssumed Answered

ArcSight Parser R80.10 & R80

Question asked by Maarten Lutterman on Nov 10, 2017
Latest reply on Mar 21, 2018 by Yonatan Philip

Like • Show 0 Likes0
Comment • 18

Hi,

I have a question regarding collecting logs from Check Point to ArcSight (SIEM) for version R80 and R80.10.

The LEA connection doesn't work very well anymore, also the workaround to degrade the certificate to SHA1 and than configure the connection doesn't always work because the CRL is signed with SHA2.

We now use CPlogtoSyslog for R80 and R80.10. unfortunately there is no parser to correct interpret the log files. So we wrote a custom parser for R80 but in R80.10 the log format is completely changed again.

I can't imagine that there is no one else with this problem. Does anyone have a parser or a other smart solution to tackle this problem?

Please let me know!

Best Regards,

Maarten Lutterman

3 people also have this question

Outcomes

18 Replies

Vladimir Yakovlev Nov 10, 2017 9:44 AM
Mark Correct
Correct Answer
I think that Check Point should designate some internal resources to creation of parsers for dominant SIEM systems.
Same situation is encountered with Alert Logic. They are parsing Windows and Cisco logs using pre-built parsers but CPlog to Syslog output is, for the moment, a raw text.

Since there was a mention of native Syslog support coming back in later releases, (it was only briefly supported in R77.30), that pretty much means that the format will change again.

This situation is causing some frustration with clients that are increasingly required to utilize SIEM services.
Like • Show 0 Likes0
Actions
Bob Bent Nov 10, 2017 10:57 AM
Mark Correct
Correct Answer
ArcSight also has a syslog connector (see ArcSight Connectors Check Point syslog Integration Guide). Might be worth trying. It isn't clear to me from the integration guide that they support receiving syslog from the management server via the CPLogToSyslog hotfix (sk115392), but imagine it is supported. They do mention the other option of receiving syslog from the gateways (sk87560) which currently isn't an option in R80.10.
Like • Show 0 Likes0
Actions
- Maarten Lutterman @ Bob Bent on Nov 13, 2017 2:04 AM
  Mark Correct
  Correct Answer
  Hi Bob,
  
  The integration guide you mentioned is for the syslog support Vladimir Yakovlev mentioned. This is not supported anymore in R80 and R80.10. The syslog format from CPLogToSyslog is different from the briefly supported one in R77.30. That's the problem because the format from R80 and R80.10 even differ.
  Thx anyway for the suggestion!
  Like • Show 0 Likes0
  Actions
Dan Zada Nov 13, 2017 12:54 AM
Mark Correct
Correct Answer
Hello,
Can you please describe what the current issue you have with LEA?
What kind of parsers are you looking for in CPLogToSyslog?

Thanks!
Dan.
Like • Show 0 Likes0
Actions
- Maarten Lutterman @ Dan Zada on Nov 13, 2017 2:11 AM
  Mark Correct
  Correct Answer
  Hi Dan,
  
  The issue we have is that the CRL certificate that is used by the Check Point is signed with SHA256. We followed the procedure to set the signing hash to SHA1 with cpca_client set_sign_hash sha1 before we create the opsec object and afterwords change it back to SHA256 but the CRL is still signed with a SHA256 algorithm and the Connector software from ArcSight breaks on that.
  We tried several things in order to get it working without succes.
  
  We use ArcSight as our SIEM platform and we are looking for a FlexConnector (parser) to convert the CPLogToSyslog format to CEF format (Commen Event Format) so the logging is correctly interpret by the ArcSight ESM.
  
  Thanks!
  Maarten.
  Like • Show 0 Likes0
  Actions
  - Oren Koren @ Maarten Lutterman on Nov 13, 2017 8:17 AM
    Mark Correct
    Correct Answer
    Hey Maarten,
    Arcsight published the new smart connector for checkpoint syslog few weeks ago.
    SmartConnector for Check Point Syslog - Micro Focus SW Community
    
    for this update, we worked together with them to map all the fields of Threat Prevention into Arcsight mapping (based on CEF ofcorse).
    
    is that what you are looking for?
    Thanks,
    Oren
    Like • Show 0 Likes0
    Actions
    - Maarten Lutterman @ Oren Koren on Nov 13, 2017 10:07 AM
      Mark Correct
      Correct Answer
      HI Oren,
      
      That is the one mentioned earlier, this is for the R77.30 add-on syslog. In R80 you have to use CPLogToSyslog in order to sent it as syslog, there is no option to create a syslog object under Servers and OPSEC Applications in R80 or R80.10. The Syslog format from CPLogToSyslog is different so this connector update is not working correctly. We already tried it.
      
      Thx
      Maarten.
      Like • Show 0 Likes0
      Actions
  - Bob Bent @ Maarten Lutterman on Nov 16, 2017 10:39 AM
    Mark Correct
    Correct Answer
    Internally someone has reported success using LEA via sk109618 with ArcSite and R80. May be missing something, but wouldn't give up on this route instead of using the sylog options. After you've set the CA to sha1 via "cpca_client set_sign_hash sha1" and deleted and recreated the OPSEC app expect you will see the cert is SHA1.
    hth,
    bob
    Like • Show 0 Likes0
    Actions
    - Maarten Lutterman @ Bob Bent on Jan 31, 2018 11:39 PM
      Mark Correct
      Correct Answer
      True I know that fix but the CRL is still signed with Sha256 so we still got an error. We are now running a EA of LogExporter that sends logs on syslog CEF format so you don't need a parser anymore. will keep you guys updated.
      Like • Show 0 Likes0
      Actions
Prabulingam N Nov 21, 2017 10:17 PM
Mark Correct
Correct Answer
Dear All,

I am facing this issue with Checkpoint Mgmt server R80.10 sending Logs to ArcSight SIEM.
I have installed Hotfix for R80.10 Check_Point_CPLogToSyslog_R80.10_GA_jhf_T42_FULL.tgz in the Management server.
Now I could see the Raw firewall logs in ArcSight, but not the Event kind of format.

I could neither see any more config changes specifically for getting Common Event format (as we used to get in Older R77.30 with Syslog Object) nor mentioned anywhere that CPLogToSyslog will support Event format visibility in ArcSight.

Is there any suggestions please let us know.

Regards, N.Prabulingam
Like • Show 0 Likes0
Actions
- Maarten Lutterman @ Prabulingam N on Nov 22, 2017 12:08 AM
  Mark Correct
  Correct Answer
  Prabulingam N I'm currently in discussion with R&D from Check Point we are working on a solution. Will keep you guys posted!
  Like • Show 0 Likes0
  Actions
  - Prabulingam N @ Maarten Lutterman on Nov 22, 2017 2:14 AM
    Mark Correct
    Correct Answer
    Great Maarten. Thanks for quick response, will await further from your end..
    
    Regards, N.Prabulingam
    Like • Show 0 Likes0
    Actions
  - Ricardo Andres Munoz @ Maarten Lutterman on Nov 24, 2017 10:28 AM
    Mark Correct
    Correct Answer
    Hello,
    Please could you advice if you have any advance in this?
    
    Regards,
    Andrés Muñoz
    Like • Show 0 Likes0
    Actions
Prabulingam N Jan 4, 2018 8:41 PM
Mark Correct
Correct Answer
Dear All,

My issue solved.

Now I could get CPToSyslog HF used in R80.10 Mgmt server to send logs towards ArcSight connector and they upgraded their Connector with Parser so that CEF format logs were received. instead of Raw Logs.

Regards, Prabulingam.N
Like • Show 0 Likes0
Actions
- Maarten Lutterman @ Prabulingam N on Jan 8, 2018 5:30 AM
  Mark Correct
  Correct Answer
  Hi Prabulingam N
  But the mapping isn't correct right? next week Check Point is coming over to install an EA hotfix in order to export the CP logging in CEF format with the correct mappings.
  How does your setup look like? which version of connector software do you use(windows/linux)?
  
  Regards,
  
  Maarten
  Like • Show 0 Likes0
  Actions
  - Prabulingam N @ Maarten Lutterman on Jan 8, 2018 7:42 AM
    Mark Correct
    Correct Answer
    Dear Maarten,
    
    My customer setup was ArcSight connector in Windows. They said that by upgrading latest ArcSight SmartConnector Firmware, they could use parser to convert the Raw logs into CEF.
    
    So from CheckPoint side - I had installed CPLogToSyslog HF and followed the "local.cplogtosyslog_policy.C" file to enter ArcSight's IP address. Thats it.
    
    FYI - I could see that from Checkpoint side as well we can create Parser- sk55020 - I never tried this.
    
    Regards, Prabulingam.N
    Like • Show 0 Likes0
    Actions
    - Maarten Lutterman @ Prabulingam N on Jan 31, 2018 11:41 PM
      Mark Correct
      Correct Answer
      we have running the LogExporter and the logging is send in Syslog CEF format. you can adjust your mapping file in Arcsight and it works great! 10x times easier than LEA or CPlogToSyslog.
      
      Don't know when it will be GA but don't think is going to take very long any more
      Like • Show 0 Likes0
      Actions
Yonatan Philip Mar 21, 2018 10:39 AM
Mark Correct
Correct Answer
Hello,

I just wanted to update this post and say that the tool is now GA and you can find all relevant details in Logs Exporter - Check Point Logs Export.

Regards,
Yonatan
1 person found this helpful
Like • Show 1 Like1
Actions

ArcSight Parser R80.10 & R80

Outcomes

Related Content

Recommended Content