This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Itzel_Gtz26
Participant
‎2023-10-26 10:55 AM

Logs sent to a SIEM

If I use a log exporter, what is the relationship between the logs that I see in my console and the logs that are sent to the configured SIEM?

That is, for each log that I see in my console, how many logs are sent to the SIEM?

Is the same amount always sent? or what does it depend on?

0 Kudos
5 Replies
BikeMan
Contributor
‎2023-10-26 11:42 AM

Hi,

Do not understand the question.

Log exporter send received logs to the SIEM. You can filter logs send to SIEM, but without filter all logs received by the log server are sent to the SIEM. 

0 Kudos
Itzel_Gtz26
Participant
‎2023-10-26 11:51 AM
In response to BikeMan

Example:

If I search for a communication from the smartview, it shows me 2 logs, however if I perform the same search in the SIEM, it gives me up to 6 logs, that is why I want to know if there is a relationship or why the SIEM receives many more logs than the ones I see on the smartview?

0 Kudos
the_rock
Legend
Legend
‎2023-10-26 12:15 PM
In response to Itzel_Gtz26

That definitely does not sound right to me. Is this for every filter you do or just something random?

Regards,

Andy

0 Kudos
Lloyd_Braun
Collaborator
‎2023-10-26 01:49 PM
In response to Itzel_Gtz26

Check Point has multi-part logs that update with more information as time goes by.  These can result in multiple log messages at the SIEM for the same event.

There is a pretty good recent thread discussing it here: https://community.checkpoint.com/t5/Management/Aggregate-log-updates-before-export-Log-Exporter-opti...

You want to set your read-mode to semi-unified in your cp_log_export config or turn on "Aggregate log updates before export" if you are using a Log Exporter/SIEM object in the GUI.

I like this description from r81.10 log exporter docs: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_LoggingAndMonitoring_AdminGu...

 

field:loguid
Log Unification ID.
Some Check Point logs are updated over time.
Updated logs have the same Log UID value.
Check Point SmartLog client correlates those updates into a single unified log.

When the update logs are sent to 3rd party servers, they arrive as distinct logs.

Administrators can use the "loguid" field to correlate updated logs and get the full eventClosed chain.

Note - Log Exporter's new semi-unified mode correlates all previous logs into one, so the latest log always shows the complete data.

Examples of updated logs:

-The total amount of bytes sent and received over time.
-The severity field which is updated over time as more information becomes available.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-26 02:11 PM

You can expect to receive multiple logs for the same session if any one of the following is true:

  • Logging is Detailed or Extended
  • Accounting is enabled

In this case, you can generally expect to receive a log for:

  • The initial session is opened
  • A log entry every 10 minutes thereafter with updated data about bytes sent/received
  • A final log after the connection has been closed/expired
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events