Create a Remote Log Source - Check Point

 

Topics Discussed

You can use this document to add a remote log collector to a Check Point remote device (log source).

Pre-Deployment Considerations


Before you begin, review the following requirements:

Log Relay

For remote log collection, you must have a Log Relay server on your account.

Assumptions

  • You have a functioning Check Point box online, and configured with policies that are needed

  • You have a Log Relay device online

  • You are not blocking traffic on port TCP and UDP port 10003 between the Check Point and the Log Relay

 

Pre-Configure the Check Point Box


You must first make sure that a log exporter is installed on the Check Point box that you are using. Instructions for log exporter installations are as follows:

Check Point version R80.20

  • Log Exporter is included in Check Point version R80.20

Check Point version R80.10

Check Point version R77.30

 

Configure the Check Point Device


  1. Log into the Check Point box via Secure Shell (SSH).

  2. Enter the "expert" command to access Expert mode, then follow the onscreen prompts to enter your credentials:

  3. Enter the following command to configure the log exporter to send the logs to the log relay:

    cp_log_export add name <exporter name> enabled true target-server <log relay ip address> target-port 10003 protocol tcp format leef read-mode semi-unified
    1. In <exporter name>, insert the name that you wish to use for the log exporter, with no spaces.

      1. For example: Armor_Exporter

    2. In <log relay ip address>, insert the IP address of the log relay box.

    3. An example of the full command is shown below:

       

  4. To start the exporter, enter the following command:

    cp_log_export restart name <exporter name>
    1. In <exporter name>, insert the name of the exporter that was used in step 3a.

    2. An example of the full command is shown below:

  5. Navigate to the directory that was created when you created the log exporter.

    1. To find this directory, run the following command:

      cd /; find . | grep -i <exporter name>
    2. Replace the LeefFieldsMapping.XML file with the following .xml file: leeffieldmapping.xml.

    3. Navigate to the conf directory, and replace the LeefFormatDefinition.XML file with the following .xml file: LeefFormatDefinition.xml.

    4. An example of the full command is shown below:

  6. Restart the Check Point Log Exporter by running the following command:

    1. An example of the full command is shown below:

  7. In the Check Point web GUI, go to System Management, then System Logging.

    1. Select the Send Syslog messages to management server checkbox.

    2. In the Remote System Logging box, add the IP address of the log relay.

    3. Keep Send Logs from Priority Level set to All.



Troubleshooting

To check the status of the log exporter device after the configuration changes:

  1. Log into the Check Point box via Secure Shell (SSH).

  2. Go into expert mode.

  3. Run the following command:

  • If the status is "Running", then the configuration was successful, and the log exporter should be sending logs to the log relay.

  • If the status is "Not Running" after the configuration changes, verify the changes that were made to the LeefFormatDefinition.XML file in step 5c.

    • Simply comment out the extra fields in the eventID section of the XML. Do not make any other changes.



Verify Connection in AMP


  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Log & Data Management, and then select Search.

  3. In the Source column, review the source name to locate the newly created Check Point remote log source.

    1. In the search field, you can also enter "check point" to locate Check Point messages.



Â