Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Topics Discussed

Table of Contents
maxLevel3
minLevel3

Insert excerpt
ESLP:Permissions for Obtain Log Relay and for Remote Log Collection (snippet)ESLP:Permissions for Log Relay and
Obtain Log Relay for Remote Log Collection
nameRemote Log Collection (snippet)Permissions
nopaneltrue

You can use this document to add a remote log collector to a Check Point remote device (log source).

Pre-Deployment Considerations

...

For remote log collection, you must have a Log Relay server on your account.

Assumptions

  • You have a functioning Check Point box online, and configured with policies that are needed

  • You have a Log Relay device online

  • You are not blocking traffic on port TCP and UDP port 10003 between the Check Point and the Log Relay


Pre-Configure the Check Point Box

...

You must first make sure that a log exporter is installed on the Check Point box that you are using. Instructions for log exporter installations are as follows:

...

Check Point version R80.10

Check Point version R77.30

Configure the Check Point Device

...

  1. Log into the Check Point box via Secure Shell (SSH).

...

  1. Image Added
  2. Enter the "expert" command to access Expert mode, then follow the onscreen prompts to enter your credentials:

...

  1. Image Added
  2. Enter the following command to configure the log exporter to send the logs to the log relay:

    Anchor
    step-3a
    step-3a

    Code Block

...

themeMidnight
  1. cp_log_export add name <exporter name> enabled true target-server <log relay ip address> target-port 10003 protocol tcp format leef read-mode semi-unified
    1. In <exporter name>, insert the name that you wish to use for the log exporter, with no spaces.

      1. For example: Armor_Exporter

    2. In <log relay ip address>, insert the IP address of the log relay box.

    3. An example of the full command is shown below:

...

    1. Image Added

      Note

      The exporter will not start immediately.


  1. To start the exporter, enter the following command:

    Code Block

...

...

  1. cp_log_export restart name <exporter name>
    1. In <exporter name>, insert the name of the exporter that was used in step 3a.

    2. An example of the full command is shown below:

...

    1. Image Added
  1. Navigate to the directory that was created when you created the log exporter.

    Anchor
    step-5c
    step-5c

    1. To find this directory, run the following command:

      Code Block

...

    1. cd /; find . | grep -i <exporter name>
    2. Replace the LeefFieldsMapping.XML file with the following .xml file: leeffieldmapping.xml.

    3. Navigate to the conf directory, and replace the LeefFormatDefinition.XML file with the following .xml file: LeefFormatDefinition.xml.

    4. An example of the full command is shown below:

...

    1. Image Added
  1. Restart the Check Point Log Exporter by running the following command:

    Code Block

...

themeMidnight
  1. cp_log_export restart name <log_exporter_name>
    1. An example of the full command is shown below:

...

    1. Image Added
  1. In the Check Point web GUI, go to System Management, then System Logging.

...

  1. Image Added
    1. Select the Send Syslog messages to management server checkbox.

    2. In the Remote System Logging box, add the IP address of the log relay.

    3. Keep Send Logs from Priority Level set to All.


Midnight
Info

Troubleshooting

To check the status of the log exporter device after the configuration changes:

  1. Log into the Check Point box via Secure Shell (SSH).

  2. Go into expert mode.

  3. Run the following command:

    Code Block
theme
cp_log_export stats name <log_exporter_name>
  • If the status is "Running", then the configuration was successful, and the log exporter should be sending logs to the log relay.

  • If the status is "Not Running" after the configuration changes, verify the changes that were made to the LeefFormatDefinition.XML file in step 5c.

    • Simply comment out the extra fields in the eventID section of the XML. Do not make any other changes.


Verify Connection in AMP

...

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Log & Data Management, and then select Search.

  3. In the Source column, review the source name to locate the newly created Check Point remote log source.

    1. In the search field, you can also enter "check point" to locate Check Point messages.

...

Topics Discussed

...