Configuring Check Point to forward LEEF events to QRadar

To forward LEEF events to IBM QRadar, use the Check Point Log Exporter and configure a new target for the logs.

Before you begin

Log Exporter can be installed on several versions of Check Point. Before you send events in LEEF format to QRadar, ensure that you have the correct version of Check Point and Log Exporter installed in your environment.

The following table describes where LEEF events are supported.

Table 1. Check Point versions that support LEEF
Check Point version Comments
R81.10 Log Exporter is included in this version.
R80.20 Log Exporter is included in this version.
R80.10 Install Log Exporter and then install the hotfix after.
R77.30 Install Log Exporter and then install the hotfix after.
Check Point R80.20
If you want to preserve the Log Exporter configuration before you upgrade to Check Point R80.20, follow the backup and restore Log Exporter instructions on the Check Point website. (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk127653).
Check Point R80.10
Ensure that Check Point version R80.10 is installed on the following servers:
  • R80.10 Multi-Domain Log Server
  • Security Management Server
  • Log Server
  • SmartEvent Server
You can install Log Exporter on version R80.10 Jumbo Hotfix Take 56 or later. The hotfix must be installed after Jumbo is installed. If you want to upgrade Jumbo, uninstall the hotfix, upgrade Jumbo, and then reinstall the hotfix. For more information, see the installation topic on the Check Point website (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323#Installation).
Check Point R77.30
Ensure that Check Point version R77.30 is installed on the following servers:
  • Multi-Domain server
  • Multi-Domain Log Server
  • Log Server
  • SmartEvent Server
You can install Log Exporter on version R77.30 Jumbo Hotfix Take 292 or later. The hotfix must be installed after Jumbo is installed. If you want to upgrade Jumbo, uninstall the hotfix, upgrade Jumbo, and then reinstall the hotfix. For more information, see the installation topic on the Check Point website (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323#Installation).

Procedure

  1. To access the expert mode on the Check Point Log Exporter console by using the command-line interface, type expert, then press Return.
  2. Type your expert password, then press Return.
  3. Type the following command:
    cp_log_export add name <name> [domain-server <domain-server> target-server <target-server IP address> target-port <target-port>protocol <(udp|tcp)> format <(syslog)|(cef)|(leef)> [optional arguments]
    Tip: If your server is not part of a domain, do not include the domain-server field in the setup command.

    A new target directory and default files are created in the $EXPORTERDIR/targets/<deployment_name> directory.

    The following table shows sample parameters and their values.
    Table 2. Sample target configuration
    Parameter Value
    Name <service_name>
    Enabled True
    Target-server <QRadar_IP_address>
    Target-port 514
    Protocol TCP
    Format LEEF
    Read-mode Semi-unified

    The default value for the Read-mode parameter is Semi-unified to ensure that complete data is collected.

    For more information about other commands, go to the Check Point website (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323#Deployment Script Additional Commands).

  4. To change a configuration, type cp_log_export set.
  5. To verify a configuration in an existing deployment, type cp_log_export show.
  6. To start Log Exporter automatically, type the following command: cp_log_export restart.
    By default, Log Exporter doesn't start automatically.

Results

If QRadar isn't receiving events from Check Point, try these troubleshooting tips:
  • Check the $EXPORTERDIR/targets/<deployment_name>/conf/LeefFieldsMapping.xml file for attributes-mapping issues.
  • Check the $EXPORTERDIR/targets/<deployment_name>/conf/LeefFormatDefinition.xml file for LEEF header-mapping issues.
  • Check the file paths. File paths might change with Check Point updates. If a configuration file can't be found, contact your Check Point administrator.
For more troubleshooting information, see the Troubleshooting Check Point Syslog LEEF Events from the Log Exporter (cp_log_export) Utility technote (https://www.ibm.com/support/docview.wss?uid=ibm10876650).