ALERT! The community will be read-only on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only on April 19, 8am Pacific as the migration begins.Read more for important details.
Absent Member.
Absent Member.
2495 views

Checkpoint R77.30 Audit logs and Syslog Server

Hi,

I have 2 questions:

1) I need to collect logs from a checkpoint Managemente server.

          Followiing the guide "SmartConnector for Check Point OPSEC NG", seems that you can collect all logs about: IPS, Firewall,Antibot ecc

          I need to collect the activities of administrator that have access to Management server and edit rule base, how i can do it?

2) I have configured via webUI a remote syslog server for each nodes of chackpoint.

     But seems that thess logs are not parsed, idea?

Thanks in advance

Andrea

Labels (2)
0 Likes
3 Replies
Commander
Commander

Dear Andrea,

for Checkpoint R77.30 Audit logs and Syslog Server you have to use Syslog instead of OPSEC NG. you can refer "https://community.softwaregrp.com/t5/ArcSight-Connectors/Check-Point-Syslog/ta-p/1647173" this guide for the same.

Thanks

Ranjan

0 Likes
Captain Captain
Captain

Hi Andrea,

We are also facing the same issue. We are collecting logs from Check Point R80.10 through syslog using a Log Exporter. Audit Logs alone are not getting parsed. I've raised a case with MicroFocus and they told that R80.10 is not a supported version for Check Point Syslog and asked us to update to R80.20.

But I found data mapped to additional fields in some cases. Check the additional mapped data for the connector and if you find anything relevant, map the additional data to the required ArcSight fields.

Regards,

Sumanth.

0 Likes
Fleet Admiral
Fleet Admiral

I am sorry but that comment makes little sense, both R77.30 and R80.10 works with Checkpoint Log Exporter, which outputs as CEF.

Have you configured it to export as CEF according to their documentation? https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323

It is also worth noted that if you use MDS, you might need to remap the device IP at this point, since it uses the MDS IP instead of the GW IP, this should have been fixed by Checkpoint in a newer hotfix.

Another important note, is that the newest connectors has upgraded their mapping for Checkpoint, So 7.9.2 i think it was, has a lot of new mappings.

For resource modifications for @andrea1993 that should already exist on both OPSEC and Syslog i think? It would be weird if resource modification was not already there.

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.