Problem

You wanted to export Check Point logs to Splunk SIEM.

Solution

The steps of the configuration in Check Point to forward all its logs to Splunk SIEM were as below :

  1. Login to the SmartConsole application
  2. Delete the OPSEC application object from the GUI, if it is the only use for the OPSEC application, or alternatively remove the LEA client entity from it if it’s not :
  1.  If this is the only OPSEC LEA client ( otherwise skip this step) – Configure $FWDIR/conf/fwopsec.conf to not allow LEA:
        Comment out those lines:
From:
#
lea_server auth_port 18184
lea_server port 0
#
        to >          To:
#
# lea_server auth_port 18184
# lea_server port 0
#
  1. Log in to the CLI using putty
  2. Go to expert mode
  3. Enter these commands:

#cp_log_export add name <name> target-server <target-server IP address> target-port <target-port> protocol <(udp|tcp)> format <(syslog)|(cef)|(splunk)|(logrhythm)|(generic)> [optional arguments]

Where

name = unique name for exporter configuration

target-server = exporting logs to this ip address

target-port = the port to which the target is listening to, eg 514

protocol = transport protocol to use

format = the format in which the logs will be exported

Below is the example of configuration being used in my test environment :

cp_log_export add name Khairul-Server-Export target-server 172.17.18.120 target-port 514 protocol tcp format splunk read-mode semi-unified

(read mode semi-unified is recommended by Splunk, by default Check Point will send the raw mode which will send as distinct logs – check with your SIEM provider for recommended mode)

  1. Start the log exporter process

[Expert@ManagementServer:0]# cp_log_export restart

Stopping log_exporter for: Khairul-Server-Export

Starting log_exporter for: Khairul-Server-Export

cpwd_admin:

Process EXPORTER.Khairul-Server-Export started successfully (pid=2662)

  1. Check the status of the Log Exporter

[Expert@ManagementServer:0]# cp_log_export status

name: Khairul-Server-Export

     status: Running (2662)

     last log read at: 28 Feb 23:16:05

     debug file: /opt/CPrt-R80.30/log_exporter/targets/MTMY-Server-Export/log/log_indexer.elg

Once the configuration is done, you should see the logs coming to the Splunk SIEM server.

Leave a Reply

Your email address will not be published. Required fields are marked *