Syslog sample event messages for Check Point
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Check Point sample message when you use the Syslog protocol
Sample 1: The following sample event message shows that a trusted connection is identified and marked as an elephant flow.
<13>Sep 30 07:13:59 checkpoint.checkpoint.test 30Sep2020 07:13:59 10.1.253.3 product: VPN-1 &FireWall-1; src: 10.3.5.15; s_port: 61172; dst: 10.254.4.3; service: 53; proto: udp; rule:; policy_id_tag: product=VPN-1 & FireWall-1[db_tag={666B9F89-D1F9-7848-B5FB- BF8D97B768F8};mgmt=fw-mgmt;date=1601441138;policy_name=CBS_policy_Simplified_PlusDeskt];dst_machine_name: *** Confidential ***;dst_user_name: *** Confidential ***;fw_message: Connection is marked as trusted elephant flow. Use fastaccel tool to edit configuration if needed.;has_accounting: 0;i/f_dir: inbound;is_first_for_luuid: 131072;logId: -1;log_sequence_num: 11;log_type: log;log_version: 5;origin_sic_name: CN=x01_fw1,O=fw-mgmt.cu.com.pl.8pjujj;snid: 0;src_machine_name: *** Confidential ***;src_user_name: *** Confidential ***;user: *** Confidential ***;
QRadar field name | Highlighted values in the event payload |
---|---|
Username | *** Confidential *** |
Source IP | 10.3.5.15 |
Source port | 61172 |
Destination IP | 10.254.4.3 |
Destination port | 53 |
Device time | Sep 30 07:13:59 |
Sample 2: The following sample event message shows that a user login is successful.
LEEF:2.0|Check Point|Linux OS|1.0|Log In|cat=Linux OS devTime=1539878943 usrName=cpaction=Log In ifdir=inbound loguid={0x5bc8b020,0x3,0x6a9610ac,0xee29cd8} origin=172.16.150.106 sequencenum=4 version=5 application=su default_device_message=<86>su: pam_unix(su:session):session opened for user cp_postgres by (uid\\=0) facility=security/authorization messages login_status=succeeded product_category=OS syslog_severity=Informational
QRadar field name | Highlighted values in the event payload |
---|---|
Event ID | Log In succeeded |
Event category | Linux OS |
Username | cp |
Source IP | 172.16.150.106 |
Device time | Oct 18 13:09:03 ADT |
Identity IP | 172.16.150.106 |
Identity username | cp |