Support Center > Search Results > SecureKnowledge Details
How to map Windows Events fields to Check Point log fields Technical Level
  • Entire Event information is shown in the 'Information' column in SmartLog / SmartView Tracker (instead of spreading the information in correct columns according to the type of information).

Required mapping of event fields to Check Point log fields is not configured on Windows Server that generates these events.


Follow these steps on the Windows Server:

Note: This procedure assumes that WinEventToCPLog Agent is already installed on Windows Server.

  1. Stop the Check Point Windows Event Service service:

    1. Start - Run - type services.msc - click on OK

    2. Find the 'Check Point Windows Event Service' service - right-click - 'Stop'

  2. Open Windows Command Prompt:

    Start - Run - type cmd - click on OK

  3. Navigate to the WinEventToCPLog Agent folder:

    C:\> cd /d "C:\Program Files (x86)\CheckPoint\WinEventToCPLog\R63\bin\"

  4. Run the WinEventToCPLog Agent under debug:

    C:\Program Files (x86)\...\bin> windowEventToCPLog -d

  5. Re-create an event, for which you wish to map the event fields in Check Point log fields.

  6. Stop the WinEventToCPLog Agent - press CTRL+C.

  7. Open the WinEventToCPLog Agent log file:

    C:\Program Files (x86)\CheckPoint\WinEventToCPLog\R63\log\windowEvent0.log

  8. Find the relevant event.

    Example - mapping of the user name:

    • 'CPEventLog' is parameter number %6
    • Application is Microsoft-Windows-Security-Auditing
    • Event ID is 4624
    Show / Hide debug example

    Reading internal event number: 26320
    Tue Mar 04 11:40:31 2014
    EventsEventID: 4624
    EventTime: 4624
    %1 = S-1-0-0
    %2 = -
    %3 = -
    %4 = 0x0
    %5 = S-1-1-11-1111111111-1111111111-1111111111-1111
    %6 = CPEventLog
    %7 = AAA
    %8 = 0xaaa11
    %9 = 3
    %10 = NtLmSsp
    %11 = NTLM
    %12 = WORKSTATION-1
    %13 = {00000000-0000-0000-0000-000000000000}
    %14 = -
    %15 = NTLM V2
    %16 = 128
    %17 = 0x0
    %18 = -
    %19 = -
    %20 = -
    Win Message(string): An account was successfully logged on.
    Security ID(string): S-1-0-0Account Name(string): -
    Account Domain(string): -
    Logon ID(string): 0x0
    Logon Type(string): 3
    Security ID1(string): S-1-1-11-1111111111-1111111111-1111111111-1111
    Account Name1(string): CPEventLog
    Account Domain1(string): AAA
    Logon ID1(string): 0xaaa11
    Logon GUID(string): {00000000-0000-0000-0000-000000000000}
    Process ID(string): 0x0
    Process Name(string): -
    Workstation Name(string): WORKSTATION-1
    Source Network Address(string): -
    Source Port(string): -
    Logon Process(string): NtLmSsp
    Authentication Package(string): NTLM
    Transited Services(string): -
    Package Name (NTLM only)(string): NTLM V2
    Key Length(string): 128
    Product(string): Windows OS
    Event Source File(string): ForwardedEvents
    Application(string): Microsoft-Windows-Security-Auditing
    Computer(string): COMP.AD
    Event Type(string): Success Audit
  9. Backup the configuration mapping file:

    C:\Program Files (x86)\CheckPoint\WinEventToCPLog\R63\conf\winEventToCPLog_User_Fields.C

  10. Edit the configuration mapping file in an advanced text editor (Notepad++, UltraEdit, PSPad, etc.):

    C:\Program Files (x86)\CheckPoint\WinEventToCPLog\R63\conf\winEventToCPLog_User_Fields.C

  11. Add the relevant section for desired event (under the comments section).

    Example - mapping of the user name (based on the debug):

    : ("Microsoft-Windows-Security-Auditing:4624" : (%6 :field_name (User) :field_type (string) ) )
  12. Save the changes in the file and close it.

  13. Start the Check Point Windows Event Service service:

    1. Start - Run - type services.msc - click on OK

    2. Find the 'Check Point Windows Event Service' service - right-click - 'Start'

  14. Connect with to the Check Point Log Server with SmartLog / SmartEvent / SmartView Tracker and check the logs.




Definitions of Check Point log fields are located in the $FWDIR/conf/log_fields.C file on Security Management Server / Domain Management Server.



Related Solutions:

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document