Breadcrumbs

Syslog - Check Point Log Exporter


LogRhythm deprecated Check Point collection via OPSEC LEA in favor of the newer Check Point Log Exporter. Support for OPSEC LEA was removed starting with LogRhythm System Monitor Collector version 7.7.0.8004 and results in an error in the scsm.log file if this collection method is used. Customers who need to use OPSEC LEA for collection should not upgrade agents past System Monitor 7.7.0.8002 release.  For information on how to configure Check Point Log exporter, see Configure Check Point Log Exporter.

Check Point Log Exporter is an easy and secure method for exporting Check Point logs over syslog. Exporting can be done in few standard protocols and formats.

Log Exporter supports:

  • SIEM applications: rsyslog, ng-syslog and any other SIEM application that can run a syslog agent.

  • Protocols: Syslog over TCP or UDP.

  • Formats: Syslog, CEF, LEEF, Generic.

  • Security: Mutual authentication TLS 1.2.

  • Log Types: The ability to export security logs, audit logs, or both. Audit logs exist on every log server.

  • Filter out (don't export) firewall connection logs.

  • Filtering: Choose what to export based on field values.

    Filtering feature was added in the following Check Point versions:


If you experience log parsing issues, LogRhythm recommends applying the following patches for Check Point versions R80.30 and R80.20:

LogRhythm has support for these patches to R80.30 and R80.20. For more details on the resolved issues, see the following Check Point ID numbers:

  • PRJ-24892, PRJ-24893

  • PRJ-6639, SL-2819

Device Details

Device Name

Check Point Log Exporter

Vendor

Check Point

Device Type

N/A

Supported Model Name/Number

N/A

Supported Software Version(s)

R77.30, R80.10, R80.20, R80.30, R80.40, R81, R81.10

Collection Method

Syslog

Configurable Log Output?

No

Log Source Type

Syslog - Checkpoint log exporter

Log Processing Policy

LogRhythm Default

Exceptions

N/A

Additional Information

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323

Supported Log Messages

Type

Product Version

Supported Schema Fields

Anti Malware

N/A

<version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <sname>, <protname>, <sinterface>, <tag2>, <login>, <url>, <useragent>, <bytesout>, <bytesin>, <session>, <objecttype>, <amount>, <severity>, <vendorinfo>, <command>, <threatname>, <object>, <status>, <dname>, <subject>, <reason>, <vmid>

Application Control

N/A

<version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <reason>, <vendorinfo>, <snatip>, <dnatip>, <url>, <login>, <policy>, <process>, <subject>, <severity>, <useragent>, <bytesin>, <bytesout>, <sname>

Application Control Url Filtering

N/A

<version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <reason>, <vendorinfo>, <dnatip>, <login>, <url>, <sname>, <dname>, <account>

Audit

N/A

<version>, <sender>, <action>, <tag1>, <vendorinfo>, <status>, <login>, <dip>, <dname>, <objecttype>

Catch All

N/A

<severity>

Connectra Logs

N/A

<version>, <action>, <sip>, <dip>, <reason>, <login>, <dname>, <serialnumber>, <hash>, <sname>, <bytesin>, <useragent>

Content Awareness

N/A

<version>, <action>, <tag1>, <sip>, <sender>, <sname>, <dip>, <dname>, <dport>, <protname>, <sinterface>, <tag2>, <login>, <account>, <object>, <tag3>, <objecttype>, <size>, <session>, <duration>

Data Loss Prevention

N/A

<version>, <action>, <tag1>, <sender>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <tag2>, <login>, <account>, <command>, <severity>, <status>, <vendorinfo>, <tag3>, <size>, <object>, <recipient>, <objecttype>, <subject>, <url>, <session>

Forensics Events

N/A

<version>, <action>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag1>, <reason>, <vendorinfo>, <snatip>, <snatport>, <dnatip>, <dnatport>, <login>, <url>, <sname>, <amount>, <severity>, <vendorinfo>, <threatname>, <object>, <subject>, <policy>, <hash>, <objectname>, <objecttype>, <bytes>, <vendorinfo>

General Events Messages

N/A

<version>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <reason>, <vendorinfo>, <snatip>, <dnatip>, <url>, <subject>, <severity>, <login>, <snatport>, <dnatport>, <status>

Generic Blade Catch All

N/A

<version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <reason>, <command>, <vendorinfo>, <snatip>, <snatport>, <dnatip>, <dnatport>, <login>, <subject>, <url>

HTTPS Inspection

N/A

<version>, <sender>, <sip>, <sport>, <dip>, <dport>, <sinterface>, <tag1>, <dname>, <sname>, <action>, <tag2>, <protname>, <url>, <login>, <account>, <subject>, <command>

Identity Awareness

N/A

<version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <vendorinfo>, <snatip>, <dnatip>, <login>, <domain>, <reason>, <milliseconds>, <objecttype>, <status>, <sessiontype>, <group>, <sname>, <policy>

Identity Logging

N/A

<version>, <sender>, <action>, <tag1>, <sinterface>, <tag2>, <login>, <sname>, <sip>, <dname>, <account>, <domainimpacted>, <reason>, <days>, <objecttype>, <dip>, <vendorinfo>

Log Update

N/A

<version>, <sender>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <protname>, <sinterface>, <tag2>, <reason>, <vendorinfo>, <dnatip>, <login>, <url>, <tag1>

New Anti Virus

N/A

<version>, <sender>, <action>, <tag1>, <tag2>, <sip>, <sport>, <dip>, <dport>, <protname>, <sname>, <dname>, <sinterface>, <login>, <account>, <url>, <severity>, <recipient>, <bytesout>, <bytesin>, <useragent>, <session>, <vendorinfo>, <threatname>, <subject>, <reason>, <objecttype>, <object>, <result>

SmartDefense

N/A

<version>, <sender>, <action>, <tag3>, <sip>, <sport>, <dip>, <dport>, <protnum>, <protname>, <sinterface>, <tag4>, <reason>, <command>, <policy>, <snatip>, <dnatip>, <login>, <account>, <recipient>, <useragent>, <url>, <dname>, <sname>, <tag2>, <threatname>, <object>, <severity>, <responsecode>, <cve>, <objecttype>, <tag1>, <vendorinfo>

Syslog Message

N/A

<version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <reason>, <command>, <vendorinfo>, <snatip>, <dnatip>, <dnatport>, <login>, <subject>, <url>, <severity>

Threat Emulation

N/A

<version>, <sender>, <action>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <url>, <severity>, <result>, <login>, <sname>, <recipient>, <subject>, <object>, <account>, <useragent>, <status>, <vendorinfo>, <objectname>, <objecttype>, <bytesin>, <bytesout>, <amount>, <hash>, <tag1>

URL Filtering

N/A

<version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <reason>, <policy>, <vendorinfo>, <snatip>, <snatport>, <dnatip>, <dnatport>, <url>, <login>, <subject>, <command>, <useragent>, <severity>, <process>, <sname>, <bytesin>, <bytesout>

VPN & Firewall

N/A

<version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protnum>, <protname>, <sinterface>, <tag2>, <reason>, <command>, <vendorinfo>, <snatip>, <snatport>, <dnatip>, <dnatport>, <login>, <subject>, <policy>, <process>, <status>

VPN-1 & FireWall-1 Content Awareness

N/A

<version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <reason>, <command>, <vendorinfo>, <snatip>, <snatport>, <dnatip>, <dnatport>, <login>, <subject>, <url>, <sname>, <dname>, <account>

Revision History

KB Version

Log Type

Change Type

Details

KB 7.1.596.0

N/A

Documentation

Updated existing documentation - added log message pages.