To forward LEEF events to IBM
QRadar, use the Check Point Log
Exporter and configure a new target for the logs.
Before you begin
Log Exporter can be installed on several versions of Check Point.
Before you send events in LEEF format to QRadar, ensure that you have the
correct version of Check Point and Log Exporter installed in your environment. The following
table describes where LEEF events are supported.
Table 1. Check Point versions that support LEEF
Check Point version |
Comments |
R81.10 |
Log Exporter is included in this version. |
R80.20 |
Log Exporter is included in this version. |
R80.10 |
Install Log Exporter and then install the hotfix after. |
R77.30 |
Install Log Exporter and then install the hotfix after. |
- Check Point R80.20
- If you want to preserve the Log Exporter configuration before you upgrade to Check Point R80.20,
follow the backup and restore Log Exporter instructions on the Check Point website.
(https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk127653).
- Check Point R80.10
- Ensure that Check Point version R80.10 is installed on the following servers:
- R80.10 Multi-Domain Log Server
- Security Management Server
- Log Server
- SmartEvent Server
- You can install Log Exporter on version R80.10 Jumbo Hotfix Take 56 or later. The hotfix must be
installed after Jumbo is installed. If you want to upgrade Jumbo, uninstall the hotfix, upgrade
Jumbo, and then reinstall the hotfix. For more information, see the installation topic on the Check Point website
(https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323#Installation).
- Check Point R77.30
- Ensure that Check Point version R77.30 is installed on the following servers:
- Multi-Domain server
- Multi-Domain Log Server
- Log Server
- SmartEvent Server
- You can install Log Exporter on version R77.30 Jumbo Hotfix Take 292 or later. The hotfix must
be installed after Jumbo is installed. If you want to upgrade Jumbo, uninstall the hotfix, upgrade
Jumbo, and then reinstall the hotfix. For more information, see the installation topic on the Check Point website
(https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323#Installation).
Procedure
-
To access the expert mode on the Check Point Log Exporter console by using the command-line
interface, type expert, then press Return.
- Type your expert password, then press Return.
-
Type the following command:
cp_log_export add name <name> [domain-server <domain-server> target-server <target-server IP address> target-port <target-port>protocol <(udp|tcp)> format <(syslog)|(cef)|(leef)> [optional arguments]
Tip: If your server is not part of a domain, do not include the
domain-server field in the setup command.
A new target directory and default files are created in the
$EXPORTERDIR/targets/<deployment_name> directory.
The following table shows sample parameters and their values.
Table 2. Sample target configuration
Parameter |
Value |
Name |
<service_name> |
Enabled |
True |
Target-server |
<QRadar_IP_address> |
Target-port |
514 |
Protocol |
TCP |
Format |
LEEF |
Read-mode |
Semi-unified The default value for the Read-mode parameter is Semi-unified
to ensure that complete data is collected.
|
For more information about other commands, go to the Check Point website
(https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323#Deployment
Script Additional Commands).
- To change a configuration, type cp_log_export set.
-
To verify a configuration in an existing deployment, type cp_log_export
show.
- To start Log Exporter automatically, type the following command: cp_log_export
restart.
By default, Log Exporter doesn't start
automatically.
Results
If QRadar isn't receiving events from
Check Point, try these troubleshooting tips:
- Check the
$EXPORTERDIR/targets/<deployment_name>/conf/LeefFieldsMapping.xml
file for attributes-mapping issues.
- Check the
$EXPORTERDIR/targets/<deployment_name>/conf/LeefFormatDefinition.xml
file for LEEF header-mapping issues.
- Check the file paths. File paths might change with Check Point updates. If a configuration file
can't be found, contact your Check Point administrator.
For more troubleshooting information, see the
Troubleshooting Check Point Syslog LEEF Events from the Log Exporter (cp_log_export) Utility
technote (https://www.ibm.com/support/docview.wss?uid=ibm10876650).