Configuring your Check Point Security Gateways to send logs to Microsoft OMS
This article will guide you in configuring your Check Point Security Gateways to send logs to Microsoft OMS.
Table of Contents:
Microsoft Operations Management Suite (also known as OMS) is a collection of IT management services, designed in the cloud and are hosted in Azure.
A key component of OMS is its Log Analytics service which helps customers collect, correlate, search and act upon logs and events across multiple sources.
More information about OMS and OMS Log Analytics can be found here:
The reader should be familiar with Microsoft OMS Log Analytics and have an OMS workspace already set up.
This solution is only supported under the following conditions:
- The Security Gateway sending the logs should be running version R77.30
- The Management Server managing the gateway:
- Should be running version R77.30
- Should have the R77.30 management add-on installed (see: sk105412)
- For privacy reasons, some fields in URL filtering, HTTPS inspection and Data Loss Prevention logs would be sent obfuscated
Specifically, an environment in which the Management Server is running R80 and above is not yet supported.
The setup is comprised of:
- A Check Point Security Management Server
- A Check Point Security Gateway
- A Log Proxy running on a generic Linux machine
Note: This solution was only verified using Ubuntu 16.04 LTS and CentOS 7.2
- The Microsoft OMS Cloud Service
The Check Point Security Management Server:
- Manages the Security Gateway
The Check Point Security Management Server and the Check Point Security Gateway can run on any of the following:
- An on-premises physical appliance
- An on-premises virtual machine
- A virtual machine in a public cloud environment such as Microsoft Azure
A standalone deployment in which the gateway and management server are running on the same machine is supported.
The Log Proxy has the following components installed:
- An OMS Linux agent (provided by Microsoft)
- A CEF Translator (provided by Check Point) that converts Check Point security logs in syslog format to Common Event Format (CEF)
The Check Point Security Gateway sends security logs to the Check Point Management Server.
In addition, the security gateway is configured to send a copy of each log in syslog format to the Log Proxy over UDP port 30514.
The Check Point CEF Translator on the Log Proxy receives these logs.
The translator converts the logs from syslog format to CEF and sends the logs to the OMS agent running on the same machine.
The OMS agent receives the CEF formatted logs and sends them to Microsoft OMS.
Create an OMS workspace.
Create an OMS workspace by following https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-get-started.
Enable the Security and Audit solution as explained in: https://docs.microsoft.com/en-us/azure/operations-management-suite/oms-security-getting-started
Create the Log Proxy:
Set up a Linux computer to act as the Log Proxy machine.
- Since syslog is not an encrypted protocol, we highly recommend that the Check Point Security Gateway and the Log Proxy are located in proximity to each other and that they communicate over a secure network.
- This solution was only verified using Ubuntu 16.04 LTS and CentOS 7.2
- Ensure that the Log Proxy can receive traffic from the Check Point Security Gateway over UDP port 30514. For example, if the Log Proxy is set up as a virtual machine in Azure, ensure that the network security group applied to the network interface of the VM allows this type of traffic.
As explained in https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-linux-agents, install the OMS agent on the Linux computer by running the following commands:
# wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh
# sh onboard_agent.sh -w YOUR-OMS-WORKSPACE-ID -s YOUR-OMS-WORKSPACE-PRIMARY-KEY
Note: Replace YOUR-OMS-WORKSPACE-ID and YOUR-OMS-WORKSPACE-PRIMARY-KEY with appropriate values taken from the OMS portal.
Configure the OMS agent to process CEF logs, by running the following commands:
# curl --location "$url" | sudo dd of=/etc/opt/microsoft/omsagent/conf/omsagent.d/security_events.conf
# sudo /opt/microsoft/omsagent/bin/service_control restart
Install the translator as a systemd service, by running:
# sudo mkdir -p "$bindir"
# curl --location https://s3.amazonaws.com/chkp-images/cef.py | sudo dd of="$bindir/cef.py"
# sudo chmod +x "$bindir/cef.py"
# sudo "$bindir/cef.py" --service
The Log Proxy is now ready to forward logs from the Check Point Security Gateway to the Microsoft OMS cloud service workspace.
Install the R77.30 management add-on
Install the R77.30 management add-on on the Check Point Security Management Server by following sk105412.
Configure the Check Point Security Gateway to send security logs to the Log Proxy
- Open the SmartDashboard application.
- Createa a new host object to represent the Log Proxy:
- Under Name, provide a descriptive name (such as LogProxy).
- Under IPv4 address, provide the IPv4 address of the Log Proxy.
- Click on 'Manage > Servers and OPSEC Applications
- Select New... -> Syslog...
- Under Name, provide a descriptive name such as LogProxyServer.
- Under Host select the host object created previously (e.g. LogProxy).
- Under Port enter "30514".
- Under Version select "BSD Protocol".
- Locate the Check Point Security Gateway object.
- Click on Logs.
- Click on '+' and select the Syslog server you created previously.
- Install the security policy on the gateway.
To confirm that logs are received by OMS, go to the OMS portal and run a log search query with:
Note: It may take a few minutes for logs to appear in the OMS portal.
By default, the CEF translator sends all logs it receives.
You can control which logs are sent based on the product and severity fields in the log.
The file /opt/checkpoint/etc/cef.json specifies for each product, the severity of logs to be sent.
To avoid sending Anti Malware logs of Low and Unknown severity edit the file as follows:
"Anti Malware": [
To avoid sending DLP logs altogether edit the file as follows:
- You need to run as root in order to edit the file.
- After editing the file:
- Use the jq utility to confirm it is in valid JSON format by running:
jq . /opt/checkpoint/etc/cef.json
- Restart the translator by running:
sudo systemctl restart chkpcef.service
- Verify that the translator is running by running:
sudo systemctl status chkpcef.service
If the Check Point security logs are not visible in the OMS portal check the following:
Ensure that the Check Point Security Gateway is sending syslogs to the Log Proxy by:
- Running the following command on the gateway:
fw monitor -e "dport=30514,accept;"
- Pass traffic through the gateway that should generate a log
fw monitor command should report network traffic to the address of the Log Proxy
If you do not see such traffic, recheck the syslog configuration in SmartDashboard
Ensure that the Log Proxy is receiving syslog traffic from the Check Point security gateway by:
- Running the following command on the Log Proxy machine:
sudo tcpdump -nn -i any port 30514
- Pass traffic through the gateway that should generate a log
tcpdump command should report network traffic.
If you do not see such traffic:
- Ensure network connectivity and routing between the Check Point Security Gateway and the Log Proxy
- Ensure that no security mechanism such as firewall rules, network access lists or network security groups are blocking traffic from the Check Point Security Gateway to the Log Proxy on UDP port 30514
Ensure that the Log translator is deployed by running the following commands:
systemctl status chkpcef.service
sudo tcpdump -nn -i lo -X port 25226
Pass traffic through the gateway that should generate a log
If it is not running or traffic is not reported by the
tcpdump command, ensure that you have installed the translator as explained above.
Ensure that the OMS agent is running and is able to receive CEF formatted logs from the translator on the loopback interface over UDP port 25226 by running the following command:
netstat -lnu | grep 25226
If it is running, the output should be similar to:
udp 0 0 127.0.0.1:25226 0.0.0.0:*
If it is not running, ensure that the OMS agent is configured to process CEF logs as explained above.
Note: Refer also to the Microsoft OMS Linux agent troubleshooting guide at https://github.com/Microsoft/OMS-Agent-for-Linux/blob/master/docs/Troubleshooting.md