Skip to main content
Skip table of contents

Syslog - Check Point Log Exporter

LogRhythm deprecated Check Point collection via OPSEC LEA in favor of the newer Check Point Log Exporter. Support for OPSEC LEA was removed starting with LogRhythm System Monitor Collector version and results in an error in the scsm.log file if this collection method is used. Customers who need to use OPSEC LEA for collection should not upgrade agents past System Monitor release.  For information on how to configure Check Point Log exporter, see Configure Check Point Log Exporter.

Check Point Log Exporter is an easy and secure method for exporting Check Point logs over syslog. Exporting can be done in few standard protocols and formats.

Log Exporter supports:

  • SIEM applications: rsyslog, ng-syslog and any other SIEM application that can run a syslog agent.
  • Protocols: Syslog over TCP or UDP.
  • Formats: Syslog, CEF, LEEF, Generic.
  • Security: Mutual authentication TLS 1.2.
  • Log Types: The ability to export security logs, audit logs, or both. Audit logs exist on every log server.
  • Filter out (don't export) firewall connection logs.
  • Filtering: Choose what to export based on field values.

    Filtering feature was added in the following Check Point versions:

If you experience log parsing issues, LogRhythm recommends applying the following patches for Check Point versions R80.30 and R80.20:

LogRhythm has support for these patches to R80.30 and R80.20. For more details on the resolved issues, see the following Check Point ID numbers:

  • PRJ-24892, PRJ-24893
  • PRJ-6639, SL-2819

Device Details

Device NameCheck Point Log Exporter


Check Point

Device Type


Supported Model Name/Number


Supported Software Version(s)

R77.30, R80.10, R80.20, R80.30, R80.40, R81, R81.10

Collection Method


Configurable Log Output?


Log Source Type

Syslog - Checkpoint log exporter

Log Processing Policy

LogRhythm Default



Additional Information

Supported Log Messages


Product Version

Supported Schema Fields

Anti MalwareN/A

<version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <sname>, <protname>, <sinterface>, <tag2>, <login>, <url>, <useragent>, <bytesout>, <bytesin>, <session>, <objecttype>, <amount>, <severity>, <vendorinfo>, <command>, <threatname>, <object>, <status>, <dname>, <subject>, <reason>, <vmid>

Application ControlN/A

<version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <reason>, <vendorinfo>, <snatip>, <dnatip>, <url>, <login>, <policy>, <process>, <subject>, <severity>, <useragent>, <bytesin>, <bytesout>, <sname>

Application Control Url FilteringN/A

<version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <reason>, <vendorinfo>, <dnatip>, <login>, <url>, <sname>, <dname>, <account>

AuditN/A<version>, <sender>, <action>, <tag1>, <vendorinfo>, <status>, <login>, <dip>, <dname>, <objecttype>
Catch AllN/A


Connectra LogsN/A

<version>, <action>, <sip>, <dip>, <reason>, <login>, <dname>, <serialnumber>, <hash>, <sname>, <bytesin>, <useragent>

Content AwarenessN/A

<version>, <action>, <tag1>, <sip>, <sender>, <sname>, <dip>, <dname>, <dport>, <protname>, <sinterface>, <tag2>, <login>, <account>, <object>, <tag3>, <objecttype>, <size>, <session>, <duration>

Data Loss PreventionN/A

<version>, <action>, <tag1>, <sender>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <tag2>, <login>, <account>, <command>, <severity>, <status>, <vendorinfo>, <tag3>, <size>, <object>, <recipient>, <objecttype>, <subject>, <url>, <session>

Forensics EventsN/A<version>, <action>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag1>, <reason>, <vendorinfo>, <snatip>, <snatport>, <dnatip>, <dnatport>, <login>, <url>, <sname>, <amount>, <severity>, <vendorinfo>, <threatname>, <object>, <subject>, <policy>, <hash>, <objectname>, <objecttype>, <bytes>, <vendorinfo>
General Events MessagesN/A

<version>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <reason>, <vendorinfo>, <snatip>, <dnatip>, <url>, <subject>, <severity>, <login>, <snatport>, <dnatport>, <status>

Generic Blade Catch AllN/A

<version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <reason>, <command>, <vendorinfo>, <snatip>, <snatport>, <dnatip>, <dnatport>, <login>, <subject>, <url>

HTTPS InspectionN/A

<version>, <sender>, <sip>, <sport>, <dip>, <dport>, <sinterface>, <tag1>, <dname>, <sname>, <action>, <tag2>, <protname>, <url>, <login>, <account>, <subject>, <command>

Identity AwarenessN/A

<version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <vendorinfo>, <snatip>, <dnatip>, <login>, <domain>, <reason>, <milliseconds>, <objecttype>, <status>, <sessiontype>, <group>, <sname>, <policy>

Identity LoggingN/A<version>, <sender>, <action>, <tag1>, <sinterface>, <tag2>, <login>, <sname>, <sip>, <dname>, <account>, <domainimpacted>, <reason>, <days>, <objecttype>, <dip>, <vendorinfo>
Log UpdateN/A

<version>, <sender>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <protname>, <sinterface>, <tag2>, <reason>, <vendorinfo>, <dnatip>, <login>, <url>, <tag1>

New Anti VirusN/A

<version>, <sender>, <action>, <tag1>, <tag2>, <sip>, <sport>, <dip>, <dport>, <protname>, <sname>, <dname>, <sinterface>, <login>, <account>, <url>, <severity>, <recipient>, <bytesout>, <bytesin>, <useragent>, <session>, <vendorinfo>, <threatname>, <subject>, <reason>, <objecttype>, <object>, <result>


<version>, <sender>, <action>, <tag3>, <sip>, <sport>, <dip>, <dport>, <protnum>, <protname>, <sinterface>, <tag4>, <reason>, <command>, <policy>, <snatip>, <dnatip>, <login>, <account>, <recipient>, <useragent>, <url>, <dname>, <sname>, <tag2>, <threatname>, <object>, <severity>, <responsecode>, <cve>, <objecttype>, <tag1>, <vendorinfo>

Syslog MessageN/A

<version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <reason>, <command>, <vendorinfo>, <snatip>, <dnatip>, <dnatport>, <login>, <subject>, <url>, <severity>

Threat EmulationN/A

<version>, <sender>, <action>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <url>, <severity>, <result>, <login>, <sname>, <recipient>, <subject>, <object>, <account>, <useragent>, <status>, <vendorinfo>, <objectname>, <objecttype>, <bytesin>, <bytesout>, <amount>, <hash>, <tag1>

URL FilteringN/A<version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <reason>, <policy>, <vendorinfo>, <snatip>, <snatport>, <dnatip>, <dnatport>, <url>, <login>, <subject>, <command>, <useragent>, <severity>, <process>, <sname>, <bytesin>, <bytesout>
VPN & FirewallN/A

<version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protnum>, <protname>, <sinterface>, <tag2>, <reason>, <command>, <vendorinfo>, <snatip>, <snatport>, <dnatip>, <dnatport>, <login>, <subject>, <policy>, <process>, <status>

VPN-1 & FireWall-1 Content AwarenessN/A

<version>, <sender>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protname>, <sinterface>, <tag2>, <reason>, <command>, <vendorinfo>, <snatip>, <snatport>, <dnatip>, <dnatport>, <login>, <subject>, <url>, <sname>, <dname>, <account>

Revision History

KB Version

Log Type

Change Type


KB 7.1.596.0N/ADocumentationUpdated existing documentation - added log message pages.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.