Problem
You wanted to export Check Point logs to Splunk SIEM.
Solution
The steps of the configuration in Check Point to forward all its logs to Splunk SIEM were as below :
- Login to the SmartConsole application
- Delete the OPSEC application object from the GUI, if it is the only use for the OPSEC application, or alternatively remove the LEA client entity from it if it’s not :
- If this is the only OPSEC LEA client ( otherwise skip this step) – Configure $FWDIR/conf/fwopsec.conf to not allow LEA:
Comment out those lines:
| From: # lea_server auth_port 18184 lea_server port 0 # | to > | To: # # lea_server auth_port 18184 # lea_server port 0 # |
- Log in to the CLI using putty
- Go to expert mode
- Enter these commands:
#cp_log_export add name <name> target-server <target-server IP address> target-port <target-port> protocol <(udp|tcp)> format <(syslog)|(cef)|(splunk)|(logrhythm)|(generic)> [optional arguments]
Where
name = unique name for exporter configuration
target-server = exporting logs to this ip address
target-port = the port to which the target is listening to, eg 514
protocol = transport protocol to use
format = the format in which the logs will be exported
Below is the example of configuration being used in my test environment :
cp_log_export add name Khairul-Server-Export target-server 172.17.18.120 target-port 514 protocol tcp format splunk read-mode semi-unified
(read mode semi-unified is recommended by Splunk, by default Check Point will send the raw mode which will send as distinct logs – check with your SIEM provider for recommended mode)
- Start the log exporter process
[Expert@ManagementServer:0]# cp_log_export restart
Stopping log_exporter for: Khairul-Server-Export
Starting log_exporter for: Khairul-Server-Export
cpwd_admin:
Process EXPORTER.Khairul-Server-Export started successfully (pid=2662)
- Check the status of the Log Exporter
[Expert@ManagementServer:0]# cp_log_export status
name: Khairul-Server-Export
status: Running (2662)
last log read at: 28 Feb 23:16:05
debug file: /opt/CPrt-R80.30/log_exporter/targets/MTMY-Server-Export/log/log_indexer.elg
Once the configuration is done, you should see the logs coming to the Splunk SIEM server.