Syslog - Check Point Log Exporter
LogRhythm deprecated Check Point collection via OPSEC LEA in favor of the newer Check Point Log Exporter. Support for OPSEC LEA was removed starting with LogRhythm System Monitor Collector version 7.7.0.8004 and results in an error in the scsm.log file if this collection method is used. Customers who need to use OPSEC LEA for collection should not upgrade agents past System Monitor 7.7.0.8002 release. For information on how to configure Check Point Log exporter, see Configure Check Point Log Exporter.
Check Point Log Exporter is an easy and secure method for exporting Check Point logs over syslog. Exporting can be done in few standard protocols and formats.
Log Exporter supports:
- SIEM applications: rsyslog, ng-syslog and any other SIEM application that can run a syslog agent.
- Protocols: Syslog over TCP or UDP.
- Formats: Syslog, CEF, LEEF, Generic.
- Security: Mutual authentication TLS 1.2.
- Log Types: The ability to export security logs, audit logs, or both. Audit logs exist on every log server.
- Filter out (don't export) firewall connection logs.
Filtering: Choose what to export based on field values.
Filtering feature was added in the following Check Point versions:
- R80.30 Jumbo Hotfix Accumulator for R80.30 Take_107
- R80.20 Jumbo Hotfix Accumulator for R80.20 Take_103
Export links to the relevant log card in SmartView and the log attachment (such as Forensics/Threat Emulation report).
Export links feature was added in the following Check Point versions:
- R80.30 Jumbo Hotfix Accumulator for R80.30 Take_107
- R80.20 Jumbo Hotfix Accumulator for R80.20 Take_127, as a hotfix on top of Jumbo Hotfix Accumulator for R80.20 Take_103, and on top of Jumbo Hotfix Accumulator for R80.30 Take_71.
For more information, see Installation instructions within the relevant Jumbo Hotfix Accumulator documentation links.
If you experience log parsing issues, LogRhythm recommends applying the following patches for Check Point versions R80.30 and R80.20:
- R80.30 Jumbo Hotfix Accumulator for R80.30 Take_237 (posted 11 July 2021)
- R80.20 Jumbo Hotfix Accumulator for R80.20 Take_202 (posted 07 July 2021)
LogRhythm has support for these patches to R80.30 and R80.20. For more details on the resolved issues, see the following Check Point ID numbers:
- PRJ-24892, PRJ-24893
- PRJ-6639, SL-2819
Device Details
| Device Name | Check Point Log Exporter |
|---|---|
Vendor | Check Point |
Device Type | N/A |
Supported Model Name/Number | N/A |
Supported Software Version(s) | R77.30, R80.10, R80.20, R80.30, R80.40, R81, R81.10 |
Collection Method | Syslog |
Configurable Log Output? | No |
Log Source Type | Syslog - Checkpoint log exporter |
Log Processing Policy | LogRhythm Default |
Exceptions | N/A |
Additional Information |
Supported Log Messages
Type | Product Version | Supported Schema Fields |
|---|---|---|
| Anti Malware | N/A | <version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <sname>, <protname>, <sinterface>, <tag2>, <login>, <url>, <useragent>, <bytesout>, <bytesin>, <session>, <objecttype>, <amount>, <severity>, <vendorinfo>, <command>, <threatname>, <object>, <status>, <dname>, <subject>, <reason>, <vmid> |
| Application Control | N/A | <version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <reason>, <vendorinfo>, <snatip>, <dnatip>, <url>, <login>, <policy>, <process>, <subject>, <severity>, <useragent>, <bytesin>, <bytesout>, <sname> |
| Application Control Url Filtering | N/A | <version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <reason>, <vendorinfo>, <dnatip>, <login>, <url>, <sname>, <dname>, <account> |
| Audit | N/A | <version>, <sender>, <action>, <tag1>, <vendorinfo>, <status>, <login>, <dip>, <dname>, <objecttype> |
| Catch All | N/A | <severity> |
| Connectra Logs | N/A | <version>, <action>, <sip>, <dip>, <reason>, <login>, <dname>, <serialnumber>, <hash>, <sname>, <bytesin>, <useragent> |
| Content Awareness | N/A | <version>, <action>, <tag1>, <sip>, <sender>, <sname>, <dip>, <dname>, <dport>, <protname>, <sinterface>, <tag2>, <login>, <account>, <object>, <tag3>, <objecttype>, <size>, <session>, <duration> |
| Data Loss Prevention | N/A | <version>, <action>, <tag1>, <sender>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <tag2>, <login>, <account>, <command>, <severity>, <status>, <vendorinfo>, <tag3>, <size>, <object>, <recipient>, <objecttype>, <subject>, <url>, <session> |
| Forensics Events | N/A | <version>, <action>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag1>, <reason>, <vendorinfo>, <snatip>, <snatport>, <dnatip>, <dnatport>, <login>, <url>, <sname>, <amount>, <severity>, <vendorinfo>, <threatname>, <object>, <subject>, <policy>, <hash>, <objectname>, <objecttype>, <bytes>, <vendorinfo> |
| General Events Messages | N/A | <version>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <reason>, <vendorinfo>, <snatip>, <dnatip>, <url>, <subject>, <severity>, <login>, <snatport>, <dnatport>, <status> |
| Generic Blade Catch All | N/A | <version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <reason>, <command>, <vendorinfo>, <snatip>, <snatport>, <dnatip>, <dnatport>, <login>, <subject>, <url> |
| HTTPS Inspection | N/A | <version>, <sender>, <sip>, <sport>, <dip>, <dport>, <sinterface>, <tag1>, <dname>, <sname>, <action>, <tag2>, <protname>, <url>, <login>, <account>, <subject>, <command> |
| Identity Awareness | N/A | <version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <vendorinfo>, <snatip>, <dnatip>, <login>, <domain>, <reason>, <milliseconds>, <objecttype>, <status>, <sessiontype>, <group>, <sname>, <policy> |
| Identity Logging | N/A | <version>, <sender>, <action>, <tag1>, <sinterface>, <tag2>, <login>, <sname>, <sip>, <dname>, <account>, <domainimpacted>, <reason>, <days>, <objecttype>, <dip>, <vendorinfo> |
| Log Update | N/A | <version>, <sender>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <protname>, <sinterface>, <tag2>, <reason>, <vendorinfo>, <dnatip>, <login>, <url>, <tag1> |
| New Anti Virus | N/A | <version>, <sender>, <action>, <tag1>, <tag2>, <sip>, <sport>, <dip>, <dport>, <protname>, <sname>, <dname>, <sinterface>, <login>, <account>, <url>, <severity>, <recipient>, <bytesout>, <bytesin>, <useragent>, <session>, <vendorinfo>, <threatname>, <subject>, <reason>, <objecttype>, <object>, <result> |
| SmartDefense | N/A | <version>, <sender>, <action>, <tag3>, <sip>, <sport>, <dip>, <dport>, <protnum>, <protname>, <sinterface>, <tag4>, <reason>, <command>, <policy>, <snatip>, <dnatip>, <login>, <account>, <recipient>, <useragent>, <url>, <dname>, <sname>, <tag2>, <threatname>, <object>, <severity>, <responsecode>, <cve>, <objecttype>, <tag1>, <vendorinfo> |
| Syslog Message | N/A | <version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <reason>, <command>, <vendorinfo>, <snatip>, <dnatip>, <dnatport>, <login>, <subject>, <url>, <severity> |
| Threat Emulation | N/A | <version>, <sender>, <action>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <url>, <severity>, <result>, <login>, <sname>, <recipient>, <subject>, <object>, <account>, <useragent>, <status>, <vendorinfo>, <objectname>, <objecttype>, <bytesin>, <bytesout>, <amount>, <hash>, <tag1> |
| URL Filtering | N/A | <version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <reason>, <policy>, <vendorinfo>, <snatip>, <snatport>, <dnatip>, <dnatport>, <url>, <login>, <subject>, <command>, <useragent>, <severity>, <process>, <sname>, <bytesin>, <bytesout> |
| VPN & Firewall | N/A | <version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protnum>, <protname>, <sinterface>, <tag2>, <reason>, <command>, <vendorinfo>, <snatip>, <snatport>, <dnatip>, <dnatport>, <login>, <subject>, <policy>, <process>, <status> |
| VPN-1 & FireWall-1 Content Awareness | N/A | <version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <reason>, <command>, <vendorinfo>, <snatip>, <snatport>, <dnatip>, <dnatport>, <login>, <subject>, <url>, <sname>, <dname>, <account> |
Revision History
KB Version | Log Type | Change Type | Details |
|---|---|---|---|
| KB 7.1.596.0 | N/A | Documentation | Updated existing documentation - added log message pages. |