Syslog sample event messages for Check Point
Use these sample event messages to verify a successful integration with IBM QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Check Point sample message when you use the Syslog protocol
Sample 1: The following sample event message shows that a trusted connection is identified and marked as an elephant flow.
<13>Sep 30 07:13:59 checkpoint.checkpoint.test 30Sep2020 07:13:59 10.1.253.3 product: VPN-1 &FireWall-1; src: 10.3.5.15; s_port: 61172; dst: 10.254.4.3; service: 53; proto: udp; rule:; policy_id_tag: product=VPN-1 & FireWall-1[db_tag={666B9F89-D1F9-7848-B5FB- BF8D97B768F8};mgmt=fw-mgmt;date=1601441138;policy_name=CBS_policy_Simplified_PlusDeskt];dst_machine_name: *** Confidential ***;dst_user_name: *** Confidential ***;fw_message: Connection is marked as trusted elephant flow. Use fastaccel tool to edit configuration if needed.;has_accounting: 0;i/f_dir: inbound;is_first_for_luuid: 131072;logId: -1;log_sequence_num: 11;log_type: log;log_version: 5;origin_sic_name: CN=x01_fw1,O=fw-mgmt.cu.com.pl.8pjujj;snid: 0;src_machine_name: *** Confidential ***;src_user_name: *** Confidential ***;user: *** Confidential ***;
| QRadar field name | Highlighted values in the event payload |
|---|---|
| Username | *** Confidential *** |
| Source IP | 10.3.5.15 |
| Source port | 61172 |
| Destination IP | 10.254.4.3 |
| Destination port | 53 |
| Device time | Sep 30 07:13:59 |
Sample 2: The following sample event message shows that a user login is successful.
LEEF:2.0|Check Point|Linux OS|1.0|Log In|cat=Linux OS devTime=1539878943 usrName=cpaction=Log In ifdir=inbound loguid={0x5bc8b020,0x3,0x6a9610ac,0xee29cd8} origin=172.16.150.106 sequencenum=4 version=5 application=su default_device_message=<86>su: pam_unix(su:session):session opened for user cp_postgres by (uid\\=0) facility=security/authorization messages login_status=succeeded product_category=OS syslog_severity=Informational
| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | Log In succeeded |
| Event category | Linux OS |
| Username | cp |
| Source IP | 172.16.150.106 |
| Device time | Oct 18 13:09:03 ADT |
| Identity IP | 172.16.150.106 |
| Identity username | cp |
Sample 3: The following sample event message shows a Firewall Permit event.
<85>Dec 26 14:51:47 checkpoint.checkpoint.test Action="accept" resource="TESTV02.TEST.in" inzone="Internal" outzone="Internal" service_id="DNS_UDP" src="10.111.140.21" dst="10.128.8.36" proto="17" user="" src_user_name="" src_machine_name="" src_user_dn="" snid="" dst_user_name="" dst_machine_name="" dst_user_dn="" UP_match_table="TABLE_START" ROW_START="0" match_id="30" layer_uuid="xxxx-xxxx-xxx-xx-xxx" layer_name="internal" rule_uid="000-0000-0000-0000-000000000000" rule_name="Incoming/Internal" ROW_END="0" UP_match_table="TABLE_END" src_device_function="Computer" src_device_manufacturer="HPE" src_device_model="" src_dynobj_name="InternalNet" src_domain_name="" src_uo_name="" src_uo_icon="" src_object_type="dynamic_object" dst_dynobj_name="InternalNet" dst_domain_name="" dst_uo_name="" dst_uo_icon="" dst_object_type="dynamic_object" src_device_mac="00:00:5E:00:53:FF" src_device_confidence="58" ProductName="VPN-1 & FireWall-1" svc="53" sport_svc="20290" ProductFamily=""
| QRadar field name | Highlighted values in the event payload |
|---|---|
| Event ID | accept |
| Event category | CheckPoint |
| Source IP | 10.111.140.21 |
| Destination IP | 10.128.8.36 |
| Source Mac Address | 00:00:5E:00:53:FF |
| Protocol | 17 |