Syslog sample event messages for Check Point

Use these sample event messages to verify a successful integration with IBM QRadar.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Check Point sample message when you use the Syslog protocol

Sample 1: The following sample event message shows that a trusted connection is identified and marked as an elephant flow.

<13>Sep 30 07:13:59 checkpoint.checkpoint.test 30Sep2020 07:13:59 10.1.253.3 product: VPN-1 &FireWall-1; src: 10.3.5.15; s_port: 61172; dst: 10.254.4.3; service: 53; proto: udp; rule:; policy_id_tag: product=VPN-1 & FireWall-1[db_tag={666B9F89-D1F9-7848-B5FB- BF8D97B768F8};mgmt=fw-mgmt;date=1601441138;policy_name=CBS_policy_Simplified_PlusDeskt];dst_machine_name: *** Confidential ***;dst_user_name: *** Confidential ***;fw_message: Connection is marked as trusted elephant flow. Use fastaccel tool to edit configuration if needed.;has_accounting: 0;i/f_dir: inbound;is_first_for_luuid: 131072;logId: -1;log_sequence_num: 11;log_type: log;log_version: 5;origin_sic_name: CN=x01_fw1,O=fw-mgmt.cu.com.pl.8pjujj;snid: 0;src_machine_name: *** Confidential ***;src_user_name: *** Confidential ***;user: *** Confidential ***;
Table 1. Highlighted values in the Check Point sample event
QRadar field name Highlighted values in the event payload
Username *** Confidential ***
Source IP 10.3.5.15
Source port 61172
Destination IP 10.254.4.3
Destination port 53
Device time Sep 30 07:13:59

Sample 2: The following sample event message shows that a user login is successful.

LEEF:2.0|Check Point|Linux OS|1.0|Log In|cat=Linux OS devTime=1539878943	usrName=cpaction=Log In ifdir=inbound loguid={0x5bc8b020,0x3,0x6a9610ac,0xee29cd8} origin=172.16.150.106 sequencenum=4 version=5	application=su default_device_message=<86>su: pam_unix(su:session):session opened for user cp_postgres by (uid\\=0)	facility=security/authorization messages login_status=succeeded product_category=OS	syslog_severity=Informational
Table 2. Highlighted values in the Check Point sample event
QRadar field name Highlighted values in the event payload
Event ID Log In succeeded
Event category Linux OS
Username cp
Source IP 172.16.150.106
Device time Oct 18 13:09:03 ADT
Identity IP 172.16.150.106
Identity username cp