This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mark_Papworth
Participant
‎2023-05-15 02:55 PM
Jump to solution

Syslog exports to Splunk SIEM changed from R81.10 to R81.20

I have configured log exporter to send logs in syslog format to a Splunk SIEM on an R81.10 SMS, which manages 9 security gateways. The Splunk SIEM could detect the hostname of the security gateway which originated the logs in its host field and registered the 9 log sources.

After upgrading to R81.20, the Splunk SIEM sees all logs as originating from the SMS hostname, and can see only one log source. Its host field has the hostname of the SMS and not the hostname of the originating security gateway. The log message includes the SICname of the originating GW, but they would need to re-parse in order to extract it.

Has something changed in the format of log exporter for syslog in R81.20? Or is there a configurable parameter where I can specify the the logs be identified as originating from the security gateway and not the SMS?

0 Kudos
1 Solution

Accepted Solutions
Mark_Papworth
Participant
‎2023-05-15 04:55 PM
In response to the_rock
Jump to solution

The issue seems to have been solved. We simply changed the cp_log_export format from syslog to splunk!

I presume in R81.20 Checkpoint has improved the compatibility with the splunk format, as this didn't work under R81.10.

At the SIEM end they were using a collector called SC4S which received Checkpoint logs in syslog format and converted them to Splunk.

Now they are able to parse the logs sent in Splunk format without issue, although they are still going through SC4S.

View solution in original post

6 Replies
the_rock
Legend
Legend
‎2023-05-15 03:07 PM
Jump to solution

Funny you mentioned this, cause last week, customer and I were on with TAC troubleshooting something totally unrelated and client mentioned log exporter and they wanted to upgrade mgmt to R81.20 and TAC guy brought this issue up, but I wish I inquired further. Not sure if he only meant this happens if you upgrade mgmt ONLY or gateway as well...sorry mate, I should have asked, but did not.

Now, he did say possible workaround is to simply issue cp_log_export restart command

Not sure how long that would work for though.

Andy

0 Kudos
Mark_Papworth
Participant
‎2023-05-15 03:20 PM
In response to the_rock
Jump to solution

Thanks for your prompt reply Andy.

We upgraded mgmt and all gateways to R81.20 and applied the latest JHF also. I believe we tried restarting log export and it didn't help. Maybe I should reach out to TAC and see if it´s a known issue. 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-15 03:30 PM
In response to Mark_Papworth
Jump to solution

I recommend doing so (especially since an upgrade "broke" it): https://help.checkpoint.com

0 Kudos
the_rock
Legend
Legend
‎2023-05-15 03:49 PM
In response to Mark_Papworth
Jump to solution

I only found below related to log exporter, but not something you would be concerned about. As @PhoneBoy said, open TAC case and they can verify. 

Andy

 

Screenshot_1.png

Mark_Papworth
Participant
‎2023-05-15 04:55 PM
In response to the_rock
Jump to solution

The issue seems to have been solved. We simply changed the cp_log_export format from syslog to splunk!

I presume in R81.20 Checkpoint has improved the compatibility with the splunk format, as this didn't work under R81.10.

At the SIEM end they were using a collector called SC4S which received Checkpoint logs in syslog format and converted them to Splunk.

Now they are able to parse the logs sent in Splunk format without issue, although they are still going through SC4S.

the_rock
Legend
Legend
‎2023-05-15 04:58 PM
In response to Mark_Papworth
Jump to solution

I think that might be by default, but you can confirm for sure with TAC.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events