Syslog - Check Point Log Exporter V2.0 | LogRhythm Documentation

Device Details

Device Name	Check Point Log Exporter
Vendor	Check Point
Device Type	N/A
Supported Model Name/Number	N/A
Supported Software Version(s)	R77.30, R80.10, R80.20, R80.30, R80.40, R81
Collection Method	Syslog
Configurable Log Output?	No
Log Source Type	Syslog - Check Point Log Exporter
Log Processing Policy	LogRhythm Default V2.0
Exceptions	N/A
Additional Information	https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323

Supported Log Messages

Type	Product Version	Supported Schema Fields
V 2.0: Anti Virus Events	N/A	<vmid>, <reason>, <severity>, <subject>, <dip>
V 2.0: Anti-Malware Events	N/A	<vmid>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <sname>, <protnum>, <sinterface>, <login>, <snatip>, <url>, <useragent>, <bytesin>, <bytesout>, <severity>, <vendorinfo>, <threatname>, <status>, <domainimpacted>, <reason>, <policy>
V 2.0: Application Control Events	N/A	<vmid>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <reason>, <vendorinfo>, <snatip>, <snatport>, <dnatip>, <dnatport>, <url>, <severity>, <bytesout>, <bytesin>, <sname>, <login>, <policy>, <subject>, <process>
V 2.0: Application Control URL Filtering Events	N/A	<vmid>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <reason>, <vendorinfo>, <snatip>, <snatport>, <dnatip>, <dnatport>, <login>, <url>, <protname>, <duration>, <version>, <bytesin>, <packetsin>, <bytesout>, <packetsout>, <quantity>, <severity> <policy>, <subject>, <process>
V 2.0: CloudGuard IaaS Events	N/A	<vmid>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <reason>, <subject>, <login>, <url>, <severity>, <version>
V 2.0: Connectra Events	N/A	<vmid>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protnum>, <reason>, <login>, <snatip>, <result>, <group>
V 2.0: Content Awareness Events	N/A	<vmid>, <action>, <tag1>, <sip>, <dip>, <dport>, <protnum>, <object>, <objecttype>, <size>, <object>, <policy>
V 2.0: Core Events	N/A	<vmid>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <reason>, <snatip>, <snatport>, <dnatip>, <dnatport>, <sname>, <login>, <severity>, <vendorinfo>, <version>
V 2.0: Cpmidu_update_tool Events	N/A	<vmid>, <sip>, <subject>, <status>, <login>, <object>, <objecttype>, <action>, <sinterface>, <domain>, <version>, <session>
V 2.0: Device Events	N/A	<vmid>, <action>, <sip>, <sport> , <dip>, <dport> , <protnum>, <sinterface>, <reason>, <snatip>, <snatport>, <dnatip>, <dnatport>, <login>, <severity>, <status>, <version>
V 2.0: DLP Events	N/A	<vmid>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protnum>, <snatip>, <login>, <account>, <sender>, <severity>, <size>, <object>, <recipient>, <objecttype>, <reason>, <subject>, <url>, <policy>, <vendorinfo>
V 2.0: Endpoint Management Event	N/A	<vmid>, <dip>, <action>, <vendorinfo>, <status>, <login>, <object>, <objecttype>, <subject>
V 2.0: Endpoint Security Mgmt Event	N/A	<vmid>, <dip>, <action>, <tag1>, <vendorinfo>, <status>, <login>, <object>, <objecttype>, <subject>, <sip>, <policy>
V 2.0: ESOD Events	N/A	<vmid>, <dip>, <action>, <status>
V 2.0: Eventia Analyzer Events	N/A	<vmid>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <reason>, <snatip>, <snatport>, <dnatip><dnatport>, <url>, <severity>, <login>, <vendorinfo>, <domainimpacted>, <dname>
V 2.0: FG VPN-1 & FireWall-1 Events	N/A	<vmid>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <reason>, <snatip>, <snatport>, <dnatip>, <dnatport>, <sname>, <dname>, <login>, <account>, <bytesout>, <packetsout>, <bytesin>, <packetsin>, <policy>, <command>
V 2.0: Firewall Events	N/A	<vmid>, <dip>, <reason>, <status>, <tag1>, <result>
V 2.0: Forensics Events	N/A	<vmid>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <reason>, <snatip>, <snatport>, <dnatip>, <dnatport>, <url>, <sname>, <login>, <severity>, <vendorinfo>, <threatname>, <subject>, <hash>, <object>, <objecttype>, <size>, <status>
V 2.0: HTTPS Inspection Events	N/A	<vmid>, <dip>, <sip>, <sport>, <dport>, <sinterface>, <dname>, <sname>, <action>, <protnum>, <login>, <account>, <severity>, <vendorinfo>, <reason>, <status>, <tag1>, <result>
V 2.0: Identity Awareness Events	N/A	<vmid>, <action>, <sip>, <login>, <domainorigin>, <session>, <reason>, <duration>, <vendorinfo>, <status>, <group>, <sname>
V 2.0: Identity Logging Events	N/A	<vmid>, <action>, <login>, <sname>, <sip>, <domainorigin>, <reason>, <duration>, <vendorinfo>
V 2.0: iOS Profiles Events	N/A	<vmid>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <snatip>, <snatport>, <dnatip>, <dnatport>, <url>, <login>, <severity>, <threatname>, <status>, <version>
V 2.0: IPS Events	N/A	<vmid>, <dip>, <reason>, <vendorinfo>, <status>, <tag1>
V 2.0: Log Update Events	N/A	<vmid>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <policy>, <bytesin>, <packetsin>, <bytesout>, <packetsout>
V 2.0: Media Encryption & Port Protection Events	N/A	<vmid>, <sip>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <reason>, <snatip>, <snatport>, <dnatip>, <dnatport>, <sname>, <login>, <severity>, <version>, <status>, <object>, <subject>, <objecttype>, <policy>
V 2.0: Mobile App Events	N/A	<vmid>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <snatip>, <snatport>, <dnatip>, <dnatport>, <login>, <severity>, <status>, <version>
V 2.0: MTA Events	N/A	<vmid>, <action>, <sip>, <sport>, (<dip>, <dport>, <protnum>, <sinterface>, <reason>, <snatip>, <snatport>, <dnatip>, <dnatport>, <login>, <url>, <recipient>, <sender>, <subject>, <size>, <status>, <tag1>
V 2.0: Network Security Events	N/A	<vmid>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <snatip>, <snatport>, <dnatip>, <dnatport>, <url>, <login>, <severity>, <threatname>, <status>, <version>
V 2.0: New Anti-Virus Events	N/A	<vmid>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sname>, <dname>, <sinterface>, <snatip>, <login>, <account>, <url>, <severity>, <recipient>, <sender>, <bytesin>, <bytesout>, <useragent>, <domainimpacted>, <vendorinfo>, <threatname>, <subject>, <reason>, <objecttype>, <object>, <result>, <threatid>, <policy>
V 2.0: OS Exploits Events	N/A	<vmid>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <reason>, <snatip>, <snatport>, <dnatip>, <dnatport>, <url>, <login>, <severity>, <threatname>, <status>, <version>
V 2.0: Query-database Events	N/A	<vmid>, <sip>, <subject>, <status>, <login>, <object>, <objecttype>, <action>, <sinterface>, <version>
V 2.0: RAD Events	N/A	<vmid>, <dip>, <reason>, <vendorinfo>
V 2.0: Scheduled System Update Event	N/A	<vmid>, <dip>, <vendorinfo>, <status>, <login>, <object>, <objecttype>, <subject>, <action>, <domainorigin>, <version>, <session>
V 2.0: Security Gateway/Management Events	N/A	<vmid>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <reason>, <snatip>, <snatport>, <dnatip>, <dnatport>, <severity>, <vendorinfo>, <status>, <result>
V 2.0: Smart Anti-Spam Events	N/A	<vmid>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <reason>, <snatip>, <snatport>, <dnatip>, <dnatport>, <login>, <recipient>, <sender>, <url>, <sname>, <policy>
V 2.0: Smart Defense Events	N/A	<vmid>, <action>, <tag2>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <reason>, <snatip>, <snatport>, <dnatip>, <dnatport>, <login>, <account>, <recipient>, <sender>, <url>, <dname>, <sname>, <vendorinfo>, <tag1>, <threatname>, <severity>, <cve>, <policy>
V 2.0: SmartConsole Events	N/A	<vmid>, <dip>, <dname>, <action>, <tag1>, <vendorinfo>, <login>, <sip>
V 2.0: SmartDashboard Events	N/A	<vmid>, <sip>, <subject>, <status>, <login>, <object>, <objecttype>, <action>, <sinterface>, <version>
V 2.0: SmartEvent Client Events	N/A	<vmid>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <reason>, <snatip>, <snatport>, <dnatip>, <dnatport>, <severity>, <vendorinfo>, <status>, <tag1>, <result>
V 2.0: SmartView Events	N/A	<vmid>, <vendorinfo>, <login>, <action>, <sip>, <dip>
V 2.0: Syslog Events	N/A	<vmid>, <dip>, <vendorinfo>, <severity>
V 2.0: System Monitor Events	N/A	<vmid>, <dip>, <severity>, <vendorinfo>, <object>, <dname>, <subject>, <tag1>, <policy>
V 2.0: Threat Emulation Events	N/A	<vmid>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <snatip>, <url>, <severity>, <result>, <login>, <sname>, <sender>, <recipient>, <subject>, <account>, <useragent>, <object>, <objecttype>, <size>, <session>, <vendorinfo>, <hash>, <threatname>, <reason>, <policy>
V 2.0: Threat Extraction Events	N/A	<vmid>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <reason>, <snatip>, <snatport>, <dnatip>, <dnatport>, <login>, <url>, <severity>, <recipient>, <sender>, <threatname>, <subject>, <hash>, <object>, <objecttype>, <size>, <policy>
V 2.0: URL Filtering Application Control Events	N/A	<vmid>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <reason>, <snatip>, <snatport>, <dnatip>, <dnatport>, <sname>, <login>, <protname>, <seconds>, <version>, <policy>, <quantity>, <subject>, <severity>, <process>
V 2.0: URL Filtering Events	N/A	<vmid>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <reason>, <snatip>, <snatport>, <dnatip>, <dnatport>, <severity>, <process>, <subject>, <sname>, <login>, <bytesout>, <bytesin>, <seconds>, <policy>, <url>
V 2.0: VPN-1 & FireWall-1 Events	N/A	<vmid>, <action>, <tag1>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <reason>, <snatip>, <snatport>, <dnatip>, <dnatport>, <login>, <policy>, <bytesin>, <packetsin>, <bytesout>, <packetsout>, <command>
V 2.0: WEB_API	N/A	<vmid>, <action>, <vendorinfo>, <status>, <login>, <sip>, <sname>, <object>, <objecttype>, <subject>
V 2.0: Web-UI Events	N/A	<vmid>, <sip>, <subject>, <status>, <login>, <object>, <objecttype>, <action>, <sinterface>, <version>
V 2.0: WIFI Network Events	N/A	<vmid>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <reason>, <subject>, <login>, <url>, <sname>, <severity>, <status>, <version>
V 2.0: Zero Phishing Events	N/A	<vmid>, <action>, <sip>, <sport>, <dip>, <dport>, <protnum>, <sinterface>, <url>, <sname>, <login>, <severity>, <useragent>, <vendorinfo>, <threatname>, <vendorinfo>, <policy>, <result>

Revision History

KB Version	Log Type	Change Type	Details
N/A	Syslog - Check Point Log Exporter	Documentation	New LSO Default V 2.0 document update