Setup:

• Check Point R80.20 Gaia Standalone Machine (Build T101, Jumbo Hotfix T47)
• Splunk 7.2.5 (RPM package installed on CentOS 7)

Pre-requisites:

• Existing Splunk setup.
• Existing Check Point setup.
• Communication between Check Point and Splunk.
• Log Exporter is already integrated with R80.20. There is no need to install a dedicated package.
• Install the Jumbo Hotfix Take 5 or higher for R80.20 on your Check Point server via CPUSE (for support of Splunk format and read-mode).
• It is recommended to use Check Point App for Splunk when exporting logs to Splunk server.

Introduction:

Check Point “Log Exporter” is an easy and secure method for exporting Check Point logs over syslog. Exporting can be done in a few standard protocols and formats.

Log Exporter supports:

1. SIEM applications: Splunk, Arcsight, RSA, LogRhythm, QRadar, McAfee, rsyslog, ng-syslog and any other SIEM application that can run a syslog agent.
2. Protocols: syslog over TCP or UDP.
3. Formats: Syslog, Splunk, CEF, LEEF, Generic.
4. Security: Mutual authentication TLS.
5. Log Types: The ability to export security logs/audit logs or both.
6. Filter out (don’t export) firewall connection logs.
7. Filtering: choose what to export based on field values.

Log Exporter is a multi-threaded daemon service, running on a log server. Each log that is written on the log server is read by the log exporter daemon, transformed into the desired format and mapping, and then sent to the end target.
On MDS/MLM, if log exporter is deployed on several domains, each domain server will have its own log exporter daemon service. If exporting the logs to several targets, each target will have its own log exporter daemon.

• Extract – Reads incoming logs from the Security Gateway
• Transform – Changes the logs according to the configuration
• Export – Sending the logs to the configured target server

Check Point Screenshots:

Splunk Screenshots:

Procedure:

1. Installing Check Point App for Splunk:

1. Download the Check Point App for Splunk from the URL: https://splunkbase.splunk.com/app/4293/
2. Login to Splunk web interface.
   
   
3. Click on the Manage Apps icon from the Apps panel.
   
   
4. Over the next screen, click on Install app from file. Then, choose the downloaded file and click on Upload.
   
   
5. Once the upload is complete, a Splunk restart will be prompted to complete the process.
   
   
6. Post restart of Splunk, the installed app can be seen over the Apps panel of the Splunk Web Home page.
   
   

2. Configuring Data Input on Splunk Server:

7. Login to Splunk web interface.
8. Click on Settings and select the Data inputs option.
   
   
9. Create a data input in Splunk for desired port and protocol. In this scenario, we will use tcp 2812, click on Add new tcp input.
   
   
10. Enter the desired Port number and click Next.
    
    
11. As we are receiving Check Point logs on Splunk, it is necessary to choose the Source type as cp_log. Either the Default Index can be used to store the logs or a new index can be created to separate the indexes as required. Click on Review to proceed next.
    
    
12. Review the settings and click on Submit.
    
    
13. Now that we have successfully created a data input on Splunk, we can proceed with configuration on Check Point.
    
    

3. Configuring Log Exporter on Check Point R80.20:

14. Connect to SSH of the Management Server and login to expert mode.
    
    
15. In order to configure a new target for the logs do the following on the log server:
    
    cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server IP address> target-port <target-port> protocol <(udp|tcp)> format <(syslog)|(cef)|(splunk)(generic)> [optional arguments]
    • On MDS/MLM: domain-server argument is mandatory, you can use ‘mds’ as the value for domain-server in order to export mds level audit logs
    • This will create a new target directory with the unique name specified in the name parameter under $EXPORTERDIR/targets/<deployment_name>, and set the target configuration parameters with the connection details: IP Address, port, protocol, format and read-mode.
    • The recommended read-mode for splunk format is semi-unified which ensures you will get a complete data.
    • Note the above deployment will export the logs in clear text.
    • The new log exporter does not start automatically. To start it run: cp_log_export restart

    cp_log_export Usage

    Command Name	Command Description
    add	Deploy a new Check Point logs exporter.
    set	Updates an existing exporter’s configuration
    delete	Removes an exporter.
    show	Prints an exporter’s current configuration.
    status	Shows an exporter’s overview status.
    start	Starts an exporter process.
    stop	Stops an exporter process.
    restart	Restarts an exporter process.
    reexport	Resets the current position, and re-exports all logs per the configuration.
    name	Unique name of the exporter configuration.
    domain-server	The relevant domain-server name or IP
    target-server	Exporting the logs to this IP address
    target-port	The port on which the target is listening to
    protocol	Transport protocol to use
    format	The format in which the logs will be exported
    read-mode	The mode in which the log files will be read and exported

16. In our setup, we shall use the following syntax to enable log export to Splunk:cp_log_export add name splunk target-server 192.168.77.50 target-port 2812 protocol tcp format splunk read-mode semi-unified
    
    

NOTE: This configuration exports the logs in an unencrypted format. For TLS Configuration steps, please contact us at splunk@qostechnology.in


17. Restart the export instance to make the changes effective.
    
    
18. The status can be seen with the following commands.
    
    
19. TCPDUMP output on port 2812.
    
    
20. The number of events can be seen over the Search tab of the Splunk app.
    
    
21. Necessary filters can be queried as per the requirement.
    
    
    
    
22. The overview of events can be seen as dashboards under General Overview section of Check Point app for Splunk application.