IBM Support

Troubleshooting Check Point Syslog LEEF Events from the Log Exporter (cp_log_export) Utility

Troubleshooting


Problem

Administrators who use the Check Point Log Exporter (cp_log_export) might experience issues parsing the LEEF data generated by the utility due to the fields generated in the XML files used to send data to QRadar. This technical note informs QRadar users how to update the XML files so that data can parse as expected.

Environment

Check Point systems that use the Check Point Log Exporter utility (cp_log_export) to send Syslog LEEF event data to QRadar. For more information, see https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323.

 
Table 1. Check Point versions that support LEEF
Check Point version
Comments
80.20 The Check Point Log Exporter is included in this version.
80.10 Install Log Exporter and then install the hotfix after.
77.30 Install Log Exporter and then install the hotfix after.

Resolving The Problem

Administrators who create a LEEF service with the Check Point Log Exporter must use the following command to generate a service and forward data to QRadar. The important fields when you configure the service are underlined in the procedure.
  1. Log in to the Check Point device.
  2. Type the following command to deploy the Check Point Log Exporter utility:
    cp_log_export add name <servicename> target-server <target-server IP address> target-port 514 protocol tcp format leef read-mode semi-unified
     
    Where:
    • Servicename is the name provided to the service to generate events. This name can be used to stop, start, or restart Syslog LEEF event generation.
    • Target-server IP address is the address of the QRadar appliance to receive the Syslog LEEF event data.
    • 514 is the port for Syslog LEEF events.
    • TCP is the protocol to send Syslog LEEF events.
    • LEEF is the output format type required for QRadar to receive Check Point events in Syslog format.
    • Semi-unified read-mode ensures that Check Point exports a complete chain of events for QRadar.
       
  3.  The service generates two XML files that the administrator must modify: LeefFormatDefinition.XML and LeefFieldsMapping.XML.
    NOTE: Both XML files are included in the ~/conf directory on the Check Point appliance with the latest Log Exporter utility.
     
  4. Edit the file LeefFieldMapping.XML to ensure that the origName field maps the product name to a category. For example, administrators can verify that the XML appears as follows:
    <field><origName>product</origName><dstName>cat</dstName></field>

    Note: If the LeefFieldMapping.XML file differs from the example, edit the file to match. LeefFieldsMapping.xml is located in the $EXPORTERDIR/targets/<deployment_name>/conf/ directory.
  5. Save any changes to the LeefFieldMapping.XML file.
     
  6. Edit the file LeefFormatDefinition.XML to ensure that the EventID field of the XML appears as follows:
    <!-- EventID -->
      <header>
         <default_value>Check Point Log</default_value>
         <field>
            <name>action</name>
         </field>


    Note: If any other XML elements appear in the EventID field of the XML, administrators must comment out the data by wrapping the fields in
    <!-- comment out value --> or by deleting the values from the LeefFormatDefinition.XML file.
     
  7. Save any changes to the LeefFormatDefinition.XML file.
     
  8. To restart the Check Point Log Exporter to accept the file changes, type: cp_log_export restart name <name>

    Results
    The Check Point Log Export utility is configured to forward events correctly to QRadar. By default, Log Exporter doesn't start automatically, so it might take some time for the appliance to generate events for QRadar. If QRadar isn't receiving events from Check Point, try these troubleshooting tips:
    • Check the $EXPORTERDIR/targets/<deployment_name>/conf/LeefFieldsMapping.xml file for attributes-mapping issues.
    • Check the $EXPORTERDIR/targets/<deployment_name>/conf/LeefFormatDefinition.xml file for LEEF header-mapping issues.
    • Check the file paths. File paths might change with Check Point updates. If a configuration file cannot be found, contact your Check Point administrator.
More troubleshooting for administrators
The events exported by the utility and sent to QRadar always have an EventID of 'Check Point Log'. If the events sent from Check Point do not contain a category field (cat=), administrators can confirm with Check Point Support that the Product field is present in the raw payloads. If you need to update mapping for Check Point events, see Configuring QRadar to receive LEEF events from Check Point.

 

Related information: Customizing LEEF mapping in Check Point events

LEEF mapping is configurable to the users who leverage the Check Point Log Exporter utility. Administrators who want to substitute values to map Check Point data to a specific field in the LEEF payload can alert the LeefFieldsMapping.XML file.

For example, the following LEEF messages are coming from the Check Point Log Exporter:
LEEF:2.0|Check Point|VPN-1 & FireWall-1|1.0|Accept|cat=VPN-1 & FireWall-1 devTime=1551791289 srcPort=61842 layer_name=TEST Security layer_uuid=9b1ead25-e38e-4fe4-8b50-4273da8ffcaa match_id=1931 parent_rule=0 rule_action=Accept rule_name=Navigation rule_uid=4a4793d5-789b-4e11-b452-03c2ad8c951d action=Accept ifdir=inbound ifname=bond2.650 logid=0 loguid={0x5c7e74b9,0x1f,0x5d66020a,0xc0000001} origin=IPADDRESS originsicname=TT\=ABDCEFG04,O\=sssss..sssss sequencenum=822 version=5 dst=IPADDRESS proto=6 service=443 service_id=https src=IPADDRESS

In the sample payload, the srcPort is defined as 61842 and there is no destination port (dstport) defined in the LEEF data received. However, there is a name=value pair for service, which is assigned to port 443. Administrators can understand how Check Point fields conform to the LEEF format by reviewing the LeefFieldsMapping.xml.

<field>
<origname>s_port</origname>
<dstname>srcPort</dstname>
</field>
<field>
<origname>srcPort</origname>
<dstname>srcPort</dstname>
</field>
<field>
<origname>d_port</origname>
<dstname>dstPort</dstname>
</field>
<field>
<origname>destination_port</origname>
<dstname>dstPort</dstname>
</field>
<origname>service</origname>
<dstname>dstPort</dstname>


After you restart the Log Exporter:
LEEF:2.0|Check Point|VPN-1 & FireWall-1|1.0|Accept|cat=VPN-1 & FireWall-1 devTime=1551791289 srcPort=61842 layer_name=TEST Security layer_uuid=9b1ead25-e38e-4fe4-8b50-4273da8ffcaa match_id=1931 parent_rule=0 rule_action=Accept rule_name=Navigation rule_uid=4a4793d5-789b-4e11-b452-03c2ad8c951d action=Accept ifdir=inbound ifname=bond2.650 logid=0 loguid={0x5c7e74b9,0x1f,0x5d66020a,0xc0000001} origin=IPADDRESS originsicname=TT\=ABDCEFG04,O\=sssss..sssss sequencenum=822 version=5 dst=IPADDRESS proto=6 dstport=443 service_id=https src=IPADDRESS

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
15 June 2021

UID

ibm10876650