Required mapping of event fields to Check Point log fields is not configured on Windows Server that generates these events.
Follow these steps on the Windows Server:
Note: This procedure assumes that WinEventToCPLog Agent is already installed on Windows Server.
-
Stop the Check Point Windows Event Service service:
- Start - Run - type
services.msc - click on OK
- Find the '
Check Point Windows Event Service' service - right-click - 'Stop'
-
Open Windows Command Prompt:
Start - Run - type cmd - click on OK
-
Navigate to the WinEventToCPLog Agent folder:
C:\> cd /d "C:\Program Files (x86)\CheckPoint\WinEventToCPLog\R63\bin\"
-
Run the WinEventToCPLog Agent under debug:
C:\Program Files (x86)\...\bin> windowEventToCPLog -d
- Re-create an event, for which you wish to map the event fields in Check Point log fields.
- Stop the WinEventToCPLog Agent - press CTRL+C.
-
Open the WinEventToCPLog Agent log file:
C:\Program Files (x86)\CheckPoint\WinEventToCPLog\R63\log\windowEvent0.log
-
Find the relevant event.
Example - mapping of the user name:
- '
CPEventLog' is parameter number %6
- Application is Microsoft-Windows-Security-Auditing
- Event ID is 4624
Show / Hide debug example
Reading internal event number: 26320
Tue Mar 04 11:40:31 2014
Forwarded
EventsEventID: 4624
EventTime: 4624
%1 = S-1-0-0
%2 = -
%3 = -
%4 = 0x0
%5 = S-1-1-11-1111111111-1111111111-1111111111-1111
%6 = CPEventLog
%7 = AAA
%8 = 0xaaa11
%9 = 3
%10 = NtLmSsp
%11 = NTLM
%12 = WORKSTATION-1
%13 = {00000000-0000-0000-0000-000000000000}
%14 = -
%15 = NTLM V2
%16 = 128
%17 = 0x0
%18 = -
%19 = -
%20 = -
Win Message(string): An account was successfully logged on.
Security ID(string): S-1-0-0Account Name(string): -
Account Domain(string): -
Logon ID(string): 0x0
Logon Type(string): 3
Security ID1(string): S-1-1-11-1111111111-1111111111-1111111111-1111
Account Name1(string): CPEventLog
Account Domain1(string): AAA
Logon ID1(string): 0xaaa11
Logon GUID(string): {00000000-0000-0000-0000-000000000000}
Process ID(string): 0x0
Process Name(string): -
Workstation Name(string): WORKSTATION-1
Source Network Address(string): -
Source Port(string): -
Logon Process(string): NtLmSsp
Authentication Package(string): NTLM
Transited Services(string): -
Package Name (NTLM only)(string): NTLM V2
Key Length(string): 128
Product(string): Windows OS
Event Source File(string): ForwardedEvents
Application(string): Microsoft-Windows-Security-Auditing
__orig(ipaddr): 192.168.2.14
Computer(string): COMP.AD
Event Type(string): Success Audit
-
Backup the configuration mapping file:
C:\Program Files (x86)\CheckPoint\WinEventToCPLog\R63\conf\winEventToCPLog_User_Fields.C
-
Edit the configuration mapping file in an advanced text editor (Notepad++, UltraEdit, PSPad, etc.):
C:\Program Files (x86)\CheckPoint\WinEventToCPLog\R63\conf\winEventToCPLog_User_Fields.C
-
Add the relevant section for desired event (under the comments section).
Example - mapping of the user name (based on the debug):
(
: ("Microsoft-Windows-Security-Auditing:4624"
: (%6
:field_name (User)
:field_type (string)
)
)
)
- Save the changes in the file and close it.
-
Start the Check Point Windows Event Service service:
- Start - Run - type
services.msc - click on OK
- Find the '
Check Point Windows Event Service' service - right-click - 'Start'
- Connect with to the Check Point Log Server with SmartLog / SmartEvent / SmartView Tracker and check the logs.
Note:
Definitions of Check Point log fields are located in the $FWDIR/conf/log_fields.C file on Security Management Server / Domain Management Server.
Related Solutions:
|
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
|
|
This solution is about products that are no longer supported and it will not be updated
|
