Integration of Check Point R80.20 with Splunk using Log Exporter utility

By Arun Kumar S in Check Point
193 Views
0 Comments

Setup:

  • Check Point R80.20 Gaia Standalone Machine (Build T101, Jumbo Hotfix T47)
  • Splunk 7.2.5 (RPM package installed on CentOS 7)

Pre-requisites:

  • Existing Splunk setup.
  • Existing Check Point setup.
  • Communication between Check Point and Splunk.
  • Log Exporter is already integrated with R80.20. There is no need to install a dedicated package.
  • Install the Jumbo Hotfix Take 5 or higher for R80.20 on your Check Point server via CPUSE (for support of Splunk format and read-mode).
  • It is recommended to use Check Point App for Splunk when exporting logs to Splunk server.

Introduction:

Check Point “Log Exporter” is an easy and secure method for exporting Check Point logs over syslog. Exporting can be done in a few standard protocols and formats.

Log Exporter supports:

  1. SIEM applications: Splunk, Arcsight, RSA, LogRhythm, QRadar, McAfee, rsyslog, ng-syslog and any other SIEM application that can run a syslog agent.
  2. Protocols: syslog over TCP or UDP.
  3. Formats: Syslog, Splunk, CEF, LEEF, Generic.
  4. Security: Mutual authentication TLS.
  5. Log Types: The ability to export security logs/audit logs or both.
  6. Filter out (don’t export) firewall connection logs.
  7. Filtering: choose what to export based on field values.

Log Exporter is a multi-threaded daemon service, running on a log server. Each log that is written on the log server is read by the log exporter daemon, transformed into the desired format and mapping, and then sent to the end target.
On MDS/MLM, if log exporter is deployed on several domains, each domain server will have its own log exporter daemon service. If exporting the logs to several targets, each target will have its own log exporter daemon.

  • Extract – Reads incoming logs from the Security Gateway
  • Transform – Changes the logs according to the configuration
  • Export – Sending the logs to the configured target server

Check Point Screenshots:

Splunk Screenshots:

Procedure:

    1. Installing Check Point App for Splunk:

  1. Download the Check Point App for Splunk from the URL: https://splunkbase.splunk.com/app/4293/
  2. Login to Splunk web interface.

  3. Click on the Manage Apps icon from the Apps panel.

  4. Over the next screen, click on Install app from file. Then, choose the downloaded file and click on Upload.

  5. Once the upload is complete, a Splunk restart will be prompted to complete the process.

  6. Post restart of Splunk, the installed app can be seen over the Apps panel of the Splunk Web Home page.

  7. 2. Configuring Data Input on Splunk Server:

  8. Login to Splunk web interface.
  9. Click on Settings and select the Data inputs option.

  10. Create a data input in Splunk for desired port and protocol. In this scenario, we will use tcp 2812, click on Add new tcp input.

  11. Enter the desired Port number and click Next.

  12. As we are receiving Check Point logs on Splunk, it is necessary to choose the Source type as cp_log. Either the Default Index can be used to store the logs or a new index can be created to separate the indexes as required. Click on Review to proceed next.

  13. Review the settings and click on Submit.

  14. Now that we have successfully created a data input on Splunk, we can proceed with configuration on Check Point.

  15. 3. Configuring Log Exporter on Check Point R80.20:

  16. Connect to SSH of the Management Server and login to expert mode.

  17. In order to configure a new target for the logs do the following on the log server:

    cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server IP address> target-port <target-port> protocol <(udp|tcp)> format <(syslog)|(cef)|(splunk)(generic)> [optional arguments]

    • On MDS/MLM: domain-server argument is mandatory, you can use ‘mds’ as the value for domain-server in order to export mds level audit logs
    • This will create a new target directory with the unique name specified in the name parameter under $EXPORTERDIR/targets/<deployment_name>, and set the target configuration parameters with the connection details: IP Address, port, protocol, format and read-mode.
    • The recommended read-mode for splunk format is semi-unified which ensures you will get a complete data.
    • Note the above deployment will export the logs in clear text.
    • The new log exporter does not start automatically. To start it run: cp_log_export restart
  18. In our setup, we shall use the following syntax to enable log export to Splunk:cp_log_export add name splunk target-server 192.168.77.50 target-port 2812 protocol tcp format splunk read-mode semi-unified

  19. Restart the export instance to make the changes effective.

  20. The status can be seen with the following commands.

  21. TCPDUMP output on port 2812.

  22. The number of events can be seen over the Search tab of the Splunk app.

  23. Necessary filters can be queried as per the requirement.



  24. The overview of events can be seen as dashboards under General Overview section of Check Point app for Splunk application.

Leave a Reply

Your email address will not be published. Required fields are marked *

Take a sneak-peek into our minds.

Read our musings on what’s changing and impacting the world in the field of cyber security and analytics.

Subscribe our Newsletter and recieve updates directly to your inbox

We don't spam!

Big News 🙂 - FWHealth (Firewall Health Reporting Tool) is now 100% Free, Forever.Know More
+