Checkpoint R77.30 Audit logs and Syslog Server
I have 2 questions:
1) I need to collect logs from a checkpoint Managemente server.
Followiing the guide "SmartConnector for Check Point OPSEC NG", seems that you can collect all logs about: IPS, Firewall,Antibot ecc
I need to collect the activities of administrator that have access to Management server and edit rule base, how i can do it?
2) I have configured via webUI a remote syslog server for each nodes of chackpoint.
But seems that thess logs are not parsed, idea?
Thanks in advance
for Checkpoint R77.30 Audit logs and Syslog Server you have to use Syslog instead of OPSEC NG. you can refer "https://community.softwaregrp.com/t5/ArcSight-Connectors/Check-Point-Syslog/ta-p/1647173" this guide for the same.
We are also facing the same issue. We are collecting logs from Check Point R80.10 through syslog using a Log Exporter. Audit Logs alone are not getting parsed. I've raised a case with MicroFocus and they told that R80.10 is not a supported version for Check Point Syslog and asked us to update to R80.20.
But I found data mapped to additional fields in some cases. Check the additional mapped data for the connector and if you find anything relevant, map the additional data to the required ArcSight fields.
I am sorry but that comment makes little sense, both R77.30 and R80.10 works with Checkpoint Log Exporter, which outputs as CEF.
Have you configured it to export as CEF according to their documentation? https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323
It is also worth noted that if you use MDS, you might need to remap the device IP at this point, since it uses the MDS IP instead of the GW IP, this should have been fixed by Checkpoint in a newer hotfix.
Another important note, is that the newest connectors has upgraded their mapping for Checkpoint, So 7.9.2 i think it was, has a lot of new mappings.
For resource modifications for @andrea1993 that should already exist on both OPSEC and Syslog i think? It would be weird if resource modification was not already there.
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.