Integrate Check Point by using Syslog
This section describes how to ensure that the JSA Check Point DSMs accept Check Point events by using syslog.
To configure Check Point to forward syslog events to JSA complete the following steps:
If Check Point SmartCenter is installed on Microsoft Windows, you must integrate Check Point with JSA by using OPSEC.
-
Type the following command to access the Check Point console as an expert user:
expert
A password prompt appears.
-
Type your expert console password. Press the Enter key.
-
Open the following file:
/etc/rc.d/rc3.d/S99local
-
Add the following lines:
$FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> /dev/null 2>&1 &
Where:
-
<facility> is a syslog facility, for example, local3.
-
<priority> is a syslog priority, for example, info.
For example:
$FWDIR/bin/fw log -ftn | /usr/bin/logger -p local3.info > /dev/null 2>&1 &
-
-
Save and close the file.
-
Open the syslog.conf file.
-
Add the following line:
<facility>.<priority> <TAB><TAB>@<host>
Where:
-
<facility> is the syslog facility, for example, local3. This value must match the value that you typed in Step 4.
-
<priority> is the syslog priority, for example, info or notice. This value must match the value that you typed in Step 4.
<TAB> indicates you must press the Tab key.
<host> indicates the JSA Console or managed host.
-
-
Save and close the file.
-
Enter the following command to restart syslog:
-
In Linux: service syslog restart
-
In Solaris: /etc/init.d/syslog start
-
-
Enter the following command:
nohup $FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> > /dev/null 2>&1 &
Where:
-
<facility> is a Syslog facility, for example, local3. This value must match the value that you typed in Step 4.
-
<priority> is a Syslog priority, for example, info. This value must match the value that you typed in Step 4.
-
The configuration is complete. The log source is added to JSA as Check Point syslog events are automatically discovered. Events that are forwarded to JSA are displayed on the Log Activity tab.
Configuring Check Point to forward LEEF Events to JSA
To forward LEEF events to JSA, use the Check Point Log Exporter and configure a new target for the logs.
Log Exporter can be installed on several versions of Check Point. Before you send events in LEEF format to JSA, ensure that you have the correct version of Check Point and Log Exporter installed in your environment.
The following table describes where LEEF events are supported.
Check Point version |
Comments |
---|---|
80.20 |
Log Exporter is included in this version. |
80.10 |
Install Log Exporter and then install the hotfix after. |
77.30 |
Install Log Exporter and then install the hotfix after. |
Check Point 80.20
If you want to preserve the Log Exporter configuration before you upgrade to Check Point R80.20, follow the backup and restore Log Exporter.
Check Point R80.10
Ensure that Check Point version R80.10 is installed on the following servers:
-
R80.10 Multi-Domain Log Server
-
Security Management Server
-
Log Server
-
SmartEvent Server
You can install Log Exporter on version R80.10 Jumbo Hotfix Take 56 or later. The hotfix must be installed after Jumbo is installed. If you want to upgrade Jumbo, uninstall the hotfix, upgrade Jumbo, and then reinstall the hotfix.
Check Point R77.30
Ensure that Check Point version R77.30 is installed on the following servers:
-
Multi-Domain server
-
Multi-Domain Log Server
-
Log Server
-
SmartEvent Server
You can install Log Exporter on version R77.30 Jumbo Hotfix Take 292 or later. The hotfix must be installed after Jumbo is installed. If you want to upgrade Jumbo, uninstall the hotfix, upgrade Jumbo, and then reinstall the hotfix.
-
To access the expert mode on the Check Point Log Exporter console by using the command-line interface, type expert, then press Return.
-
Type your expert password, then press Return.
-
Type the following command:
cp_log_export add name <name> [domain-server <domain-server> target-server <target-server IP address > target-port <target-port> protocol <(udp|tcp)> format <(syslog)|(cef)|(leef)> [optional arguments]
A new target directory and default files are created in the $EXPORTERDIR/targets/<deployment_name> directory.
The following table shows sample parameters and their values.
Table 2: Sample Target Configuration Parameter
Value
Name
<service_name>
Enabled
True
Target-server
<QRadar_IP_address>
Target-port
514
Protocol
TCP
Format
LEEF
Read-mode
Semi-unified
The default value for the Read-mode parameter is
Semi-unified
to ensure that complete data is collected. -
To change a configuration, type
cp_log_export set
. -
To verify a configuration in an existing deployment, type
cp_log_export
show. -
To start Log Exporter automatically, type the following command:
cp_log_export restart
.By default, Log Exporter doesn't start automatically.
Results
If JSA isn't receiving events from Check Point, try these troubleshooting tips:
-
Check the $EXPORTERDIR/targets/<deployment_name>//conf/LeefFieldsMapping.xml file for attributes-mapping issues.
-
Check the $EXPORTERDIR/targets/<deployment_name>//conf/LeefFormatDefinition.xml file for LEEF header-mapping issues.
-
Check the file paths. File paths might change with Check Point updates. If a configuration file can't be found, contact your Check Point administrator.
Syslog log source parameters for Check Point
If JSA does not automatically detect the log source, add a Check Point log source on the JSA Console by using the Syslog protocol.
When using the Syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect Syslog events from Check Point:
Parameter |
Value |
---|---|
Log Source type |
Check Point |
Protocol Configuration |
Syslog |
Log Source Identifier |
Type the IP address or host name for the log source as an identifier for events from your Check Point devices. |
Configuring JSA to receive LEEF events from Check Point
By default, Check Point LEEF events are mapped to the legacy OPSEC LEA event-mapping schema. If you want to change the way that JSA maps events, you can use the DSM Editor to disable legacy event mapping.
-
Click the Admin tab.
-
In the Data Sources section, click DSM Editor.
-
From the Select Log Source Type window, select Check Point from the list, and click Select.
-
On the Configuration tab, set Display DSM Parameters Configuration to on.
-
From the Event Collector list, select the event collector for the log source.
-
Set Disable legacy event mapping to on.
-
Click Save and close out the DSM Editor.
Configuring JSA 7.3.0 to receive LEEF events from Check Point
By default, Check Point LEEF events are mapped to the legacy OPSEC LEA event-mapping schema. If you want to change the way that JSA 7.3.0 maps events, you can disable legacy event mapping by using the command line.
-
Using SSH, log in to your JSA Console as the root user.
To create a new properties file or to edit an existing properties file, type the following command:
vi /opt/qradar/conf/CheckPoint.propertiesTo disable legacy event mapping, add the following line in the text file:
useLEEFMapping=true-
To enable legacy event mapping, use one of the following options:
Optional: Delete the following line:
useLEEFMapping=true-
Optional: Change the useLEEFMapping=true line to useLEEFMapping=false.
-
Save your changes and then exit the terminal.
-
Restart the event collection service. For more information, see Restarting the event collection service.
Syslog Sample Event Messages for Check Point
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Check Point Sample Message when you use the Syslog Protocol
Sample 1: The following sample event message shows that a trusted connection is identified and marked as an elephant flow.
<13>Sep 30 07:13:59 checkpoint.checkpoint.test 30Sep2020 07:13:59 10.1.253.3 product: VPN-1 &FireWall-1; src: 10.3.5.15; s_port: 61172; dst: 10.254.4.3; service: 53; proto: udp; rule:; policy_id_tag: product=VPN-1 & FireWall-1[db_tag={666B9F89-D1F9-7848-B5FB- BF8D97B768F8};mgmt=fwmgmt; date=1601441138;policy_name=CBS_policy_Simplified_PlusDeskt];dst_machine_name: *** Confidential ***;dst_user_name: *** Confidential ***;fw_message: Connection is marked as trusted elephant flow. Use fastaccel tool to edit configuration if needed.;has_accounting: 0;i/f_dir: inbound;is_first_for_luuid: 131072;logId: -1;log_sequence_num: 11;log_type: log;log_version: 5;origin_sic_name: CN=x01_fw1,O=fwmgmt. cu.com.pl.8pjujj;snid: 0;src_machine_name: *** Confidential ***;src_user_name: *** Confidential ***;user: *** Confidential ***;
JSA field name |
Highlighted values in the event payload |
---|---|
Username |
*** Confidential *** |
Source IP |
10.3.5.15 |
Source port |
61172 |
Destination IP |
10.254.4.3 |
Destination port |
53 |
Device time |
Sep 30 07:13:59 |
Sample 2: The following sample event message shows that a user login is successful.
LEEF:2.0|Check Point|Linux OS|1.0|Log In|cat=Linux OS devTime=1539878943 usrName=cpaction=Log In ifdir=inbound loguid={0x5bc8b020,0x3,0x6a9610ac,0xee29cd8} origin=172.16.150.106 sequencenum=4 version=5 application=su default_device_message=<86>su: pam_unix(su:session):session opened for user cp_postgres by (uid\\=0) facility=security/authorization messages login_status=succeeded product_category=OS syslog_severity=Informational
JSA field name |
Highlighted values in the event payload |
---|---|
Event ID |
Log In succeeded |
Event category |
Linux OS |
Username |
cp |
Source IP |
172.16.150.106 |
Device time |
Oct 18 13:09:03 ADT |
Identity IP |
172.16.150.106 |
Identity username |
cp |