Support Center > Search Results > SecureKnowledge Details
Log Exporter - Check Point Log Export
Solution

Check Point "Log Exporter" is an easy and secure method for exporting Check Point logs over syslog. Exporting can be done in few standard protocols and formats.

Log Exporter supports:

  • SIEM applications: Splunk, Arcsight, RSA, LogRhythm, QRadar, McAfee, rsyslog, ng-syslog and any other SIEM application that can run a syslog agent.
  • Protocols: syslog over TCP or UDP.
  • Formats: Syslog, Splunk, CEF, LEEF, Generic.
  • Security: Mutual authentication TLS.
  • Log Types: The ability to export security logs / audit logs or both.
  • Filter out (don't export) firewall connection logs.

 

Table of Contents

  • How does it Work
  • Installation
  • Uninstall
  • Basic Deployment
  • Advanced Deployment - Additional Commands
  • TLS Configuration
  • Advanced Configuration Post Deployment
  • SIEM Specific instruction
  • Transition from LEA to Log exporter
  • Transition from CPLogToSyslog to Log exporter
  • Known Limitations
  • Appendix

 

How does it Work

Log Exporter is a multi-threaded daemon service, running on a log server. Each log that is written on the log server is read by the log exporter daemon, transformed into the desired format and mapping, and then sent to the end target.
On MDS/MLM, if log exporter is deployed on several domains, each domain server will have its own log exporter daemon service. If exporting the logs to several targets, each target will have its own log exporter daemon.

  • Extract - Reads incoming logs from the Security Gateway
  • Transform - Changes the logs according to the configuration
  • Export - Sending the logs to the configured target server

 

Click Here to Show Entire Article

 

Installation

Show / Hide the section

  • R80.20

    • Log Exporter is already integrated in R80.20. There is no need to install in it a dedicated package.

    Note: In order to preserve the Log Exporter configuration before upgrading to R80.20, please follow sk127653 - How to backup and restore Log Exporter configuration on upgrade to R80.20

    Note: In order to support exporting logs in Splunk format, please install R80.20 Jumbo Hotfix Take 5 and above.

  • R80.10

    • Install this release on a R80.10 Multi-Domain Server, Multi-Domain Log Server, Security Management Server, Log Server or SmartEvent Server.
    Note: Log Exporter can be installed on top of R80.10 Jumbo Hotfix Take 56 and above.

    Note: It is currently not supported to install the Log Exporter on top of R80.10 With Jumbo HF Take_169. A solution will be provided before the end of month.

    Note: This hotfix must be installed after the Jumbo, and will need to be uninstalled to upgrade to a higher Jumbo take, and then reinstalled after the newer Jumbo is in place.

  • R77.30

    • Install this release on a R77.30 Multi-Domain Server, Multi-Domain Log Server, Security Management Server, Log Server or SmartEvent Server.
    Note: Log Exporter can be installed on top of R77.30 Jumbo Hotfix Take 292 and above. 

    **This hotfix must be installed after the Jumbo, and will need to be uninstalled to upgrade to a higher Jumbo take, and then reinstalled after the newer Jumbo is in place. 

     

Version Date CPUSE Online Identifier CPUSE offline
package
R80.10 06 November 2018
 Check_Point_R80.10_Log_Exporter_T41_sk122323_FULL.tgz  (TGZ)
R77.30 06 November 2018 Check_Point_R77.30_Log_Exporter_T30_sk122323_FULL.tgz
 (TGZ)

Install the hotfix using CPUSE, see sk92449.

 

Uninstall

Show / Hide the section


Management server - uninstall the feature via CPUSE, see sk92449.

Multi-Domain Security Management - Uninstalling the package does not remove the configuration files, in order to uninstall and completely remove all configurations, do the following:

  • Run:


    • cp_log_export delete name all [domain-server all] --apply-now
    apply-now false
    Do not forget to add <domain-server all> on MDS/MLM machines

  • If running on Multi-Domain Management Server: switch to MDS's environment by running: # mdsenv


  • Make sure $EXPORTERDIR exists and is pointing to $RTDIR/log_exporter ($FWDIR/log_exporter on R77.30). Run:


    • # rm -rf $EXPORTERDIR

  • Uninstall the hotfix using CPUSE, see sk92449.


    •  

    Basic Deployment

    Common method for creating / modifying log exporters / targets.

    Show / Hide the section

    In order to configure a new target for the logs do the following on the log server:

    cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server IP address> target-port <target-port> protocol <(udp|tcp)> format <(syslog)|(cef)|(splunk)(generic)> [optional arguments]

     

    • On MDS/MLM: domain-server argument is mandatory, you can use 'mds' as the value for domain-server in order to export mds level audit logs
    • This will create a new target directory with the unique name specified in the –n parameter under $EXPORTERDIR/targets/<deployment_name>, and set the target configuration parameters with the connection details: IP Address, port, protocol, format and read-mode.
    • The recommended read-mode for splunk format is semi-unified which ensures you will get a complete data.
    • Note the above deployment will export the logs in clear text.
    • The new log exporter does not start automatically. To start it run: cp_log_export restart

    If you wish to send the logs over an encrypted connection, please refer to the "TLS Configuration" section.

     

    Advanced Deployment - Additional Commands

    Advanced parameters for creating / modifying log exporters / targets

    Show / Hide the section


    Usage

    cp_log_export <command-name> [command-arguments]

    In order to understand a specific command usage run:
    cp_log_export <command-name> help

     

    Commands

    Command Name Command Description
    add Deploy a new Check Point logs exporter.
    set Updates an existing exporter's configuration
    delete Removes an exporter.
    show Prints an exporter's current configuration.
    status Shows an exporter's overview status.
    start Starts an exporter process. 
    stop Stops an exporter process.
    restart Restarts an exporter process.
    reexport Resets the current position, and re-exports all logs per the configuration.

    Parameters

    Parameter Name Description add set delete show/status/start/stop/restart reexport
    name Unique name of the exporter configuration. Mandatory Mandatory Mandatory Optional - Default all  Mandatory
    domain-server The relevant domain-server name or IP Mandatory Mandatory Mandatory Optional - Default all
    		 Mandatory
    target-server Exporting the logs to this ip address  Mandatory Optional  N/A  N/A N/A
    target-port The port on which the target is listening to Mandatory Optional N/A N/A N/A
    protocol Transport protocol to use Mandatory Optional  N/A N/A N/A
    format The format in which the logs will be exported  Optional  Optional  N/A  N/A  N/A 
    read-mode The mode in which the log files will be read and exported Optional
    		  Optional N/A N/A N/A
    enabled Allow log_exporter to start on cpstart/mdsstart Optional  Optional N/A  N/A N/A
    encrypted Using TLS (SSL) encryption for exporting the logs
    		 Optional Optional N/A  N/A  N/A 
    ca-cert Full path to the CA pem certificate file
    Relevant only when encrypted is true     		 Optional Optional  N/A N/A N/A
    client-cert  Full path to the client p12 certificate file Relevant only when encrypted is true
    		 Optional Optional N/A N/A N/A
    client-secret The challenge phrase that was used in order to create the client p12 certificate
    Relevant only when encrypted is true
    		 Optional Optional N/A  N/A N/A
    --apply-now Applying any change that was done in the add immediately
    		 Optional Optional Mandatory N/A Mandatory

     

    TLS Configuration

    How to set a secured connection between the log exporter and the syslog server.

    Show / Hide the section

    The only allowed authentication method via TLS is mutual authentication. For mutual authentication log exporter will need the following certificates:

    • A pem Certificate Authority (CA) certificate (should contain only the certificate of CA that signed the client/server certificates, not the parent CA).
    • A .p12 format client certificate.

    If you don’t already have the required certificates, you can follow the procedure below.

    The following procedure is an example of creating the required certificates. You have alternative procedures for achieving this.

    Important Note: The below openssl commands need to be run on a 3rd party CA server. (Not on the Log Exporter machine)
    The commands are not supported on a Check Point Security Management server/MDM server.

    Note: CA server needs to be routable from log exporter device.

    Create Self Signed CA

    Run this in case you don’t already have a trusted CA pem:

    1. Generate the root CA key – Do not pass to anyone:

        openssl genrsa -out RootCA.key 2048

    2. Generate the root CA pem:

        openssl req -x509 -new -nodes -key RootCA.key -days 2048 -out RootCA.pem

        you will be prompted to provide information regarding the certificate. This information is known as a Distinguished Name (DN). An important field in the DN is the Common Name(CN), which should be the exact Fully Qualified Domain Name (FQDN) of the host that you intend to use the certificate with. Apart from the Common Name all other fields are optional and can be skipped. If you are purchasing an SSL certificate from a certificate authority, it is often required that these additional fields, such as "Organization", accurately reflect your organization's details.

    Here is an example of what the prompt will look like:

    ---

    Country Name (2 letter code) [AU]:US

    State or Province Name (full name) [Some-State]:New York

    Locality Name (eg, city) []:MyCity

    Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany

    Organizational Unit Name (eg, section) []:MyDepartment

    Common Name (e.g. server FQDN or YOUR name) []:www.company.com

    Email Address []:

    Note: It is recommended to use the device IP address as the Common Name.

    Create Client (log_exporter) .p12 Certificate File

    1. Generate client key - Do not pass to anyone:

        openssl genrsa -out log_exporter.key 2048

    2. Generate client certificate sign request:

        openssl req -new -key log_exporter.key -out log_exporter.csr

    3. Sign the certificate using the CA files:

        openssl x509 -req -in log_exporter.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -out log_exporter.crt -days 2048 -sha256

    4. Convert to p12 format

        openssl pkcs12 -inkey log_exporter.key -in log_exporter.crt -export -out log_exporter.p12

    Note: The challenge phrase used in this conversion is required in the log_exporter TLS configuration.

    After creating the required certificates, you should update the security parameters on the Check Point exporting server:

    1. If running on MDS/MLM switch to the required domain by running:
        mdsenv <domain server name or ip>

    2. Go to the deployment directory:
        cd $EXPORTERDIR/targets/<deployment name>

    3. Create a directory for the certificates:
        mkdir certs

    4. Copy RootCA.pem, and log_exporter.p12 to certs directory.

       Important: RootCA.key should NOT be published.

    5. Give the RootCA.pem and log_exporter.p12 read permissions:
        chmod +r RootCA.pem
        chmod +r log_exporter.p12

    6. Update the secured target using:
        cp_log_export set name <name> domain-server <domain-server> encrypted true ca-cert <path_to_CA_pem> client-cert <path_to_p12_certificate> client-secret <challenge_phrase_for _p12>

    Create Server (target) Certificate

    1. Generate server key – Do not pass to anyone:

        openssl genrsa -out syslogServer.key 2048

    2. Generate server certificate sign request:

        openssl req -new -key syslogServer.key -out syslogServer.csr

    3. Sign the certificate using the CA files:

        openssl x509 -req -in syslogServer.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -out syslogServer.crt -days 2048 -sha256

     

    Advanced Configuration Post Deployment

    Configuring log exporters without using the deployment script.

    Show / Hide the section

    After deploying a new instance of log exporter, all related files to that deployment can be found under $EXPORTERDIR/targets/<deployment name>

    On an MDS/MLM server, EXPORTERDIR environment variable is per domain, and its value is changed automatically when switching between domain server contexts with the mdsenv command.

     

    Target Configuration XML

    The target configuration file, located under each deployment folder: $EXPORTERDIR/targets//targetConfiguration.xml

    Note: You must restart the log exporter process for the new setting to take effect.

    Listed below are some of the configuration options:

    Parameter Description Possible/Default Values
    <version></version> Current Log Exporter version - used for upgrades.  
    <is_enabled></is_enabled> Determines whether or not the process will be monitored by the watch dog.  true/false

    Destination Parameters

    Parameter Description Possible/Default Values
    type Reserved for future use.  
    <ip></ip> The IP address of the target that will receive the logs Any IPv4 address.
    <port></port>
    		 The port on which the target is listening to. Any valid port number.
    <protocol></protocol>
    		  The protocol that will be used in the connection.  UDP / TCP

    Security Parameters

    Discussed in more detail in the "TLS Configuration" section.

    Parameter Description Possible/Default Values
    <security></security> Determines weather or not the connection will be sent in clear text or encrypted.  clear [default] / tls
    <pem_ca_file></pem_ca_file>
    		 The location of the root CA pem file.
    		  
    <p12_certificate_file></p12_certificate_file> The location of the client key pair in p12 format.
    		  
    <client_certificate_challenge_phrase></client_certificate_challenge_phrase>
    		 The challenge phrase that was used in order to create the p12 certificate. Will be hashed after after restarting the process .
    		  

    Source Parameters

    Parameter  Description Possible/Default Values 
    <folder></folder>
    		 The path where the log files are located. Default location is $FWDIR/log/.
    <log_files></log_files>
    		 Determines which log files will be exported & how far back.
    		 read logs from [number] - (default=1) days back (recommended) | <specific file name> | on-line (no value=on-line)
    <log_types></log_types>
    		 Determines which log files (by extension) will be exported. All [default] / log / audit
    <read_mode></read_mode> Determines how the log files will be read. raw [default] | semi-unified (recommended for splunk format)

    Resolver Parameters

    Parameter Description Possible/Default Values
    <mappingConfiguration></mappingConfiguration> The XML file containing the log field mapping scheme. If left empty will use the default settings. Default values are based on the 'format'.
    <exportAllFields>true</exportAllFields>

    When this field is set to 'true' all log fields will be sent regardless of whether or not they appear in the mapping scheme, , except for specifically black-listed fields in the relevant log format mapping file (<exported>false</exported>).

    When set to 'false' only those fields which appear in the relevant log format mapping file will be sent (with exported flag true: <exported>true</exported>)

    		  true / false

    Format Parameters

    Parameter Description Possible/Default Values
    <formatHeaderFile></formatHeaderFile> The XML file contains the log header format scheme. If left empty will use the default settings. Default values are based on the 'format'.

    Filters Parameters

    The Log Exporter solution supports several filtering options, as detailed in the section above. In this section, we will go over each option.

    Filters logs based on blade

    In the current release, we have a limited blade related filtering. This functionality will be expanded upon in future releases.

    You can filter out firewall connection logs ('Firewall-1 & VPN-1', 'HTTPS Inspection' and 'Security Gateway/Management').

     

    Parameter Description Possible/Default Values
    <filter filter_out_by_connection="false">

     Determines if the Access logs should be filtered out.

    When set to 'true' VPN-1 & Firewall-1 connection logs will be filtered out

    Note: No other blade filters are currently supported. This will be expanded upon in future releases.

    		  true / false

    Note: Firewall session logs will still be exported (Generated by tracking a firewall rule by per Session).  

              Limitation: HTTPS inspection logs, Non-rulebase generated Firewall logs & a few Firewall NAT update logs will still be exported.

     

    Format Configuration XML

    Body

    Parameter Description Syslog Splunk CEF LEEF Generic
    <start_message_body></start_message_body> The character preceeding the log data payload.
    		 [        
    <end_message_body></end_message_body> The character following the log data payload.
    		 ]        
    <message_separator></message_separator>
    		 The delimeter that separates logs.
    		 &#10; (&#10;=='\n') &#10; ('\n') &#10; ('\n') &#10; ('\n') ('\n')
    <fields_separatator></fields_separatator>
    		 The delimeter that separates log fields.
    		 '; ' (semi colon, space)
    		  | (pipe)  ' ' (space)  &#09; (<TAB>)  ' ' (space)
    <field_value_separatator></field_value_separatator>
    		 The assignment operator.
    		  :  =  =  =  =
    <value_encapsulation_start>&quot;</value_encapsulation_start>
    		 The value encapsulation operator (start)  "      "  "
    <value_encapsulation_start>&quot;</value_encapsulation_start>
    		 The value encapsulation operator (end)  "      "  "
    <escape_chars>
    <char>
    <orig></orig>
    <escaped></escaped>
    </char>
    </escape_chars>

    Escaping unwanted characters.

    The escape functionality will replace the string that's encapsulated by the 'orig' tags with the one encapsulated by the 'escaped' tags 

     \ --> \\

    " --> \"

    &#10; --> ' '

    ] --> \]

     | --> ;

    = --> \=

    &#10; --> ' '

    		  \ --> \\

    = --> \=

    &#10; --> ' '

    | --> \|

    = --> \=

    &#10; --> ' '

     \ --> \\

    " --> '

    &#10; --> ' '

     

    Header

    Parameter Description Default values for syslog Default values for splunk Default values for CEF
    <header_format></header_format>  The delimeter between the header values and the number of values. Every {} will be replaced with one value.  ' ' (space) |

     

    Field Mapping Configuration XML

    Parameter Description Values
    <table> Some fields will appear in tables depending on the log format. This information can be found in the elg log - one entry for every new field. A field can appear in multiple tables, each distinct instance is considered as a new field.   
    <exported></exported>  [optional] You can filter out specific fields by using the 'exported' true/false tag in the mapping configuration file. Alternatively, if the 'exportAllFields' tag in the 'targetConfiguration.xml' file is set to false, only those fields which are listed in the mapping file will be exported..   true \ false
    <origName></origName>  The name of the field that will be mapped to <dstName>  
     <dstName></dstName>  The new mapping scheme name for the desired field.  
    <required></required>
    		 [optional] When set to 'true' only logs which contain this field will be exported.  true \ false

     

    SIEM Specific instruction

    How to configure SIEM applications to optimally receive logs.

    Show / Hide the section

    Rsyslog

    Rsyslog is not configured to use RFC5424 timestamp format by default, therefore you should manually change Rsyslog setting for it to be compliant with Log Exporter output format.

    On the syslog server:

    1. Open /etc/rsyslog.conf

    2. If there’s an uncommented line: “$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat”, comment it.

    3. Add the following line: $ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format

    4. Save and close the file.

    5.Restart Rsyslog:
      service rsyslog restart

     

    ArcSight

    It is recommended by ArcSight to name the certificate 'syslog-ng'

    1. Convert the key to p12 format:
        openssl pkcs12 -inkey syslogServer.key -in syslogServer.crt -export -out syslog-ng.p12 -name "syslogng-alias" -password pass:changeit

    2. make sure the environment variable ARCSIGHT_HOME to be the connector install directory:

     

    • Run the certificates manager on the Linux KDE console: ARCSIGHT_HOME/current/bin/arcsight agent keytoolgui
    • From the File menu open the keystore: $ARCSIGHT_HOME/current/jre/lib/security/cacerts (password "changeit").
    • From the menu select "Import Trusted Certificate"
    • From the file dialog, select ca.pem and save it.
    • Save and close the certificate manager.
    • Edit the agent.properties file to enable mutual authentication by:

     

             vi $ARCSIGHT_HOME//current/user/agent/agent.properties

             1. Change this value to True:

                 syslogng.mutual.auth.enabled=false -> true

             2. Add these line to the bottom:

                 syslogng.tls.keystore.file=user/agent/syslog-ng.p12

                 syslogng.tls.keystore.alias=syslogng-alias

    • run /etc/init.d/arc_connector_name restart

     

    Splunk

    It is recommended to use Check Point App for Splunk when exporting logs to Splunk server.

    For more information about installation and deployment, please see the Check Point App for Splunk User Guide.

    In addition, in order to configure an encrypted connection, do the following:

    1. Generate server pem file:
        cat syslogServer.crt syslogServer.key RootCA.pem > splunk.pem

    2. Update the inputs.conf file on the Splunk server
        vi /opt/splunk/etc/apps/search/local/inputs.conf

        [SSL]
        serverCert = /etc/ssl/my-certs/splunk.pem
        sslPassword = <challenge password>
        requireClientCert = true

        [tcp-ssl://<port>]
        index = <index>

    3. Update the server.conf file on the Splunk server
        vi /opt/splunk/etc/system/local/server.conf

        [sslConfig]
        sslRootCAPath = /etc/ssl/my-certs/RootCA.pem

    4. Restart Splunk
        /opt/splunk/bin/splunk restart

     

    QRadar

    1. On the Authentication Mode field choose "TLS And Client Authentication"

        When using Client Authentication you need to provide the absolute path to the client certificate.

    2. Upload the Check Point certificate and private key to QRadar and provide the absolute path to those under the "Provide Certificate" option.

     

    Transition from LEA to Log exporter

    Recommended method to move from the existing LEA connector to the new log exporter.

    Show / Hide the section

    1. Delete OPSEC application object from the GUI, if it is the only use for the OPSEC application, or alternatively remove the LEA client entity from it if it’s not :

    2. If this is the only OPSEC LEA client ( otherwise skip this step) - Configure $FWDIR/conf/fwopsec.conf to not allow LEA:
        Comment out those lines:

    From:

    #

    lea_server auth_port 18184

    lea_server port 0

    #

    		          ---->          

    To:

    #

    # lea_server auth_port 18184

    # lea_server port 0

    #

    3. Install the log exporter according to the installation guide above.

     

    Transition from CPLogToSyslog to Log exporter

    Recommended method to move from the existing CPLogToSyslog to the new log exporter.

    Show / Hide the section

    1. Uninstall the CPLogToSyslog package using CPUSE. see instructions in sk92449 section 4-C
    2. Install the log exporter according to the installation guide above.

     

    Known Limitations

    Show / Hide the section

    If you want to change this environment, you must first consult with your Check Point partner or vendor. This release is built for the specific environment. Upgrades or other changes can overwrite Hotfix functionality and environment customizations.

     

    Appendix

    Show / Hide the section

    Special log fields

    loguid - Some checkpoint logs are updated over time. Update logs will have the same loguid value. Checkpoint SmartLog client will correlate those updates into a single unified log.

    When sending update logs to 3rd party (SIEM) servers, in the default raw read-mode, they will arrive as distinct logs. Best use the semi-unified read-mode, which will send few instances of the log, but each instance will contain the entire event chain until this update. Admins can alternatively use the loguid field to correlate update logs and get the full event chain themselves.

    Note: All related log & log-updates will share the same initial time as the 1st log (in semi-unified mode).


    Example of update logs includes the total amount of bytes sent and received over time or the severity field which will be updated over time as more information becomes available.

    hll_key - hll_key stands for High-Level Log key. This concept was introduced in R80.10, where Multiple connection logs can comprise one session with one shared hll_key. For example, when browsing a webpage you might have multiple connection logs which are related to the same session. Connection logs which are part of the same session will share the same hll_key value.

    Syslog-NG Listener configuration

    When configuring a source on a Syslog NG server it is recommended to use the syslog-protocol flag.

    For example: source s_network { network(transport(“tcp”) port(514) flags(syslog-protocol) ); };

     

    Splunk Listener configuration

    It is recommended to add these time settings to your sourcetype:

    TIME_FORMAT = %s
    TIME_PREFIX = time=
    MAX_TIMESTAMP_LOOKAHEAD = 15

     

    ArcSight Listener configuration

    The Log Exporter solution doesn't work with the OPSEC LEA connector. Instead, you must install ArcSight Syslog-NG connector.

     

    ArcSight Common Event Format (CEF) Mapping

    CEF is an extensible, text-based format designed to support multiple device types by offering the most relevant information. Message syntaxes are reduced to work with ESM normalization. Specifically, CEF defines a syntax for log records comprised of a standard header and a variable extension, formatted as key-value pairs. The CEF format can be used with on-premise devices by implementing the ArcSight Syslog SmartConnector. CEF can also be used by cloud-based service providers by implementing the SmartConnector for ArcSight Common Event Format REST.

     

    CEF Header format

      Version Device Vendor Device Product Device Version Device Event Class ID Name Severity
    Default CEF:0 Check Point Log Update Check Point  Log  Log 
    Values - Product Name (Blade)

    Attack Name

    Protection Type

    Verdict

    Matched Category

    DLP Data Type

    Application Category

    Application Properties

     Protection Name

    Application Name

    Message Info

    Service ID

    Service

    Application Risk

    Risk

    Severity

     

    QRadar Log Event Extended Format (LEEF) Mapping

    The Log Event Extended Format (LEEF) is a customized event format for IBM Security QRadar.

    LEEF Header format

      LEEF:Version Vendor Product Version EventID
    Default LEEF:2.0 Check Point Log Update 1.0 Check Point Log
    Values - - Product Name (Blade) -

    Protection Name

    Application Name

    Action

    Note: The time format is not compliant with the official LEEF format.

    Until such a time as IBM will add support for epoch time format Log Exporter with LEEF format is only partially supported.

     

    Related solutions:

    Give us Feedback
    Please rate this document
    [1=Worst,5=Best]
    Comment