Configure Check Point Log Exporter
This topic explains the steps required to use the LogRhythm System Monitor Agent (Windows or Linux) to collect log data from Check Point firewalls, log servers, and firewall audit logs with the Check Point Log Exporter syslog interface. The Check Point Log Exporter syslog interface is simpler, more robust, and faster (20-40k MPS vs 4-7k MPS) than the OPSEC Log Export API-based collection method. This new syslog-based interface can be used with R77.30, R80.10, R80.20, R80.30, and R80.40.
LogRhythm deprecated Check Point collection via OPSEC LEA in favor of the newer Check Point Log Exporter. Support for OPSEC LEA was removed starting with LogRhythm System Monitor Collector version 7.7.0.8004 and results in an error in the scsm.log file if this collection method is used. Customers who need to use OPSEC LEA for collection should not upgrade agents past System Monitor 7.7.0.8002 release.
Users can install the Check Point Log Exporter on their Check Point gear and configure it to send logs to the LogRhythm System Monitor Agent’s syslog server in the LogRhythm format (see below for installation and configuration details). On the LogRhythm side, the Check Point logs appear as a new syslog source and are assigned to the log source type Syslog – Check Point Log Exporter. For more information on the Check Point Log Exporter, see Check Point Solution ID sk122323.
Device Details
Vendor | Check Point |
Device Type | NG-Firewall |
Supported Model Name/Number | R77.30, R80.10, R80.20, R80.30, R80.40, R81, R81.10 |
Supported Software Version(s) | R77.30, R80.10, R80.20, R80.30, R80.40, R81, R81.10 |
Collection Method | Syslog (Support Secure Syslog) |
Configurable Log Output? | Yes |
Log Source Type | Syslog – Check Point Log Exporter |
Log Processing Policy | LogRhythm Default |
Exceptions | The Log Exporter is supported on Check Point versions R77.30, R80.10, R80.20, R80.30, and R80.40. LogRhythm deprecated Check Point collection via OPSEC LEA in favor of the newer Check Point Log Exporter. Support for OPSEC LEA was removed starting with LogRhythm System Monitor Collector version 7.7.0.8004 and results in an error in the scsm.log file if this collection method is used. Customers who need to use OPSEC LEA for collection should not upgrade agents past System Monitor 7.7.0.8002 release. |
Additional Information |
Prerequisites
- LogRhythm Enterprise 7.5.x or higher.
- LogRhythm Knowledge Base 7.1.634.0 or higher.
Check Point R80.30:
To have LogRhythm format on systems with Jumbo Hotfix Accumulator for R80.30 Take_111 already installed, users must also install hotfix file:
Check_Point_R80.30_JHF_T111_Log_Exporter_Enhancements_T4_sk122323_FULL.tgz
The hotfix file can be downloaded at Check Point Solution ID sk122323 in the Installation section.
- R80.30 Jumbo Hot Fixes above Take_111 can be downloaded at Check Point Solution ID sk153152.
Check Point R80.20:
To have LogRhythm format on systems with Jumbo Hotfix Accumulator for R80.20 Take_118 already installed, users must also install hotfix file:
Check_Point_R80.20_JHF_T118_Log_Exporter_Enhancements_T5_sk122323_FULL.tgz
The hotfix file can be downloaded at Check Point Solution ID sk122323 in the Installation section.
- Check Point R80.10
Install this Checkpoint Package (T51) on a R80.10 Multi-Domain Server, Multi-Domain Log Server, Security Management Server, Log Server or SmartEvent Server.
Log Exporter can be installed on top of R80.10 Jumbo Hotfix Take 272 and above.
This hotfix must be installed after the Jumbo, and will need to be uninstalled to upgrade to a higher Jumbo take, and then reinstalled after the newer Jumbo is in place.
- Check Point R77.30
Install Checkpoint Package (T36) on a R77.30 Multi-Domain Server, Multi-Domain Log Server, Security Management Server, Log Server or SmartEvent Server.
Log Exporter can be installed on top of R77.30 Jumbo Hotfix Take 292 and above.
This hotfix must be installed after the Jumbo, and will need to be uninstalled to upgrade to a higher Jumbo take, and then reinstalled after the newer Jumbo is in place.
Check Point Upgrade Service Engine Version 1848 or higher. Download at Check Point Solution ID sk92449.
If you experience log parsing issues, LogRhythm recommends applying the following patches for Check Point versions R80.30 and R80.20:
- R80.30 Jumbo Hotfix Accumulator for R80.30 Take_237 (posted 11 July 2021)
- R80.20 Jumbo Hotfix Accumulator for R80.20 Take_202 (posted 07 July 2021)
LogRhythm has support for these patches to R80.30 and R80.20. For more details on the resolved issues, see the following Check Point ID numbers:
- PRJ-24892, PRJ-24893
- PRJ-6639, SL-2819
Configure Check Point Log Exporter Targets
Information associated with third party products is subject to change. If you experience issues when attempting to configure the device as outlined below, please contact LogRhythm Support.
Run all commands under EXPERT mode. In CLI, enter Expert, then enter the specific password.
To add a new target, run the following command on the log server:
cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server> target-port <target-port> protocol <(udp|tcp)> format <(syslog)|(cef)> [optional arguments]
Example
cp_log_export add name <LocalConfigurationName> target-server <AgentIP> target-port
514 protocol <udp|tcp> format logrhythm read-mode semi-unifiedOn the Check Point MDS/MLM deployment:
- The domain-server argument is mandatory. You can use mds as the value for domain-server to export mds-level audit logs.
- You can use either the CMA/CLM name or the IP address.
This creates a new target directory with the unique name specified in the name parameter under $EXPORTERDIR/targets/<deployment_name> and sets the target configuration parameters with the connection details: IP address, port, protocol, format, and read-mode.
The above deployment exports the logs in clear text.
To modify an existing target, run the following command on the log server:
cp_log_export set name <name> format logrhythm read-mode <raw | semi-unified>
Example
cp_log_export set name my_exporter format logrhythm read-mode semi-unified
The recommended read-mode for LogRhythm format is semi-unified, which ensures you get complete data.
To start the new log exporter, run the following command:
cp_log_export restart
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is Name of Log Source. In addition, when configuring this log source:
Example for this Log Source:
The Log Exporter log source type is a syslog source called Syslog – Check Point Log Exporter.
After configuring the Check Point Log Exporter to send syslog to the System Monitor Agent, you must also configure the syslog log source for that Agent. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action. Use the Client Console to accept the pending syslog source.
When configuring the log source:
- Resolve the log source host. This should be the Check Point machine.
- The name of the log message source is Syslog – Check Point Log Exporter.
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
(Optional) Configure TLS for Secure Syslog
To send the logs over an encrypted connection from Check Point side, see the TLS Configuration section in Check Point Solution ID sk122323.
- Upload the LogRhythm agent certificate into the computer certificate store on the machine where the agent is installed, for example in Windows: Certificates (Local computer), Personal, Certificates.
- In the Client Console, click Deployment Manager on the main toolbar.
- Click the System Monitors tab.
- Double-click the System Monitor you want to collect the syslog.
- Click the Syslog and Flow Settings tab, and select Enable Syslog Server.
- At the bottom, click Advanced.
- Select the check box of the UseSecureSyslogServerCert parameter.
Change the value of the SecureSyslogServerCertSubject parameter to the subject of the certificate you uploaded. This value is case sensitive.
Example
The Subject parameter must be unique for every Client, Server, and CA certificate.
If these subjects are not unique, a "Call to SSPI failed" error appears in the scsm.log as the certificate chain will fail to validate in Windows.
Change the value of the SecureSyslogServerCertLocation parameter to LocalMachine.
Change the value of the SecureSyslogServerCertStore parameter to MY.
Enter the SecureSyslogPort. The default is 6514.
Select the check box of the RequireSecureSyslogClientCert parameter.
Click OK.
Click OK again to return to the System Monitors tab.
- Restart the Agent Service.
(Optional) Filter Configuration
For more information on filter configuration, see Check Point Solution ID sk122323.
The filter configuration file is located under each target folder: $EXPORTERDIR/targets/<target-name>/conf/FilterConfiguration.xml
The table below lists the filter configuration file parameters with the possible values and a brief description of the values.
Parameter | Possible Values | Description |
<filterGroup operator=""></filterGroup> | operator[and / or] | A group of fields that will determine what to export. The relation between the fields is determined by the operator value. For more information on the supported fields to use, see the Parsed Metadata Fields table in this device configuration guide. The full list from the Check Point side can be found in the fields mapping file: $EXPORTERDIR/targets/name of target/conf/LogRhythmFieldsMapping.xml. Check Point will stop exporting logs to LogRhythm if your filter configuration uses Check Point's default mapping as referenced in the Log Fields Mapping for Advanced Fields Configuration section in Check Point Solution ID sk122323. See also Check Point Solution ID sk144. |
<field name="" operator=""><value operation=""></value> </field> | operator[and / or] operation[eq - equal / neq - not equal /gt - greater than / lt - less than ] | Declare a single field filter that will participate in the filter group.
|
Declare filtering either from cp_log_export command or by manually editing the filter configuration file:
$EXPORTERDIR/targets/<target-name>/conf/FilterConfiguration.xml
The cp_log_export filtering flags include only the action, blade, and origin fields. To filter on other supported fields, you must manually edit the filter configuration file.
Example syntax for cp_log_export filtering flags:
cp_log_export set name <name> filter-action-in "value1,value2"
cp_log_export set name <name> filter-origin-in "value1,value2"
cp_log_export set name <name> filter-blade-in "value2"
Example of filter by raw field names of severity: "High" or "Critical" & blade/product: "IPS" or "Threat Emulation":
<filters> <filterGroup operator="and"> <field name="action" operator="and"> </field> <field name="origin" operator="and"> </field> <field name="Product" operator="or"> <value operation="eq">SmartDefense</value> <value operation="eq">Threat Emulation</value> </field> <field name="severity" operator="or"> <value operation="eq">3</value> <value operation="eq">4</value> </field> </filterGroup> </filters>
Example of filter by mapped field names of cp_severity: "High" or "Critical" & blade/product: "IPS" or "Threat Emulation", for CEF format (severity -> cp_severity):
<filters> <filterGroup operator="and"> <field name="action" operator="and"> </field> <field name="origin" operator="and"> </field> <field name="Product" operator="or"> <value operation="eq">SmartDefense</value> <value operation="eq">Threat Emulation</value> </field> <field name="cp_severity" operator="or"> <value operation="eq">3</value> <value operation="eq">4</value> </field> </filterGroup> </filters>