Setup:
- Check Point R80.20 Gaia Standalone Machine (Build T101, Jumbo Hotfix T47)
- Splunk 7.2.5 (RPM package installed on CentOS 7)
Pre-requisites:
- Existing Splunk setup.
- Existing Check Point setup.
- Communication between Check Point and Splunk.
- Log Exporter is already integrated with R80.20. There is no need to install a dedicated package.
- Install the Jumbo Hotfix Take 5 or higher for R80.20 on your Check Point server via CPUSE (for support of Splunk format and read-mode).
- It is recommended to use Check Point App for Splunk when exporting logs to Splunk server.
Introduction:
Check Point “Log Exporter” is an easy and secure method for exporting Check Point logs over syslog. Exporting can be done in a few standard protocols and formats.
Log Exporter supports:
- SIEM applications: Splunk, Arcsight, RSA, LogRhythm, QRadar, McAfee, rsyslog, ng-syslog and any other SIEM application that can run a syslog agent.
- Protocols: syslog over TCP or UDP.
- Formats: Syslog, Splunk, CEF, LEEF, Generic.
- Security: Mutual authentication TLS.
- Log Types: The ability to export security logs/audit logs or both.
- Filter out (don’t export) firewall connection logs.
- Filtering: choose what to export based on field values.
Log Exporter is a multi-threaded daemon service, running on a log server. Each log that is written on the log server is read by the log exporter daemon, transformed into the desired format and mapping, and then sent to the end target.
On MDS/MLM, if log exporter is deployed on several domains, each domain server will have its own log exporter daemon service. If exporting the logs to several targets, each target will have its own log exporter daemon.
- Extract – Reads incoming logs from the Security Gateway
- Transform – Changes the logs according to the configuration
- Export – Sending the logs to the configured target server
Check Point Screenshots:
Splunk Screenshots:
Procedure:
1. Installing Check Point App for Splunk:
- Download the Check Point App for Splunk from the URL: https://splunkbase.splunk.com/app/4293/
- Login to Splunk web interface.
- Click on the Manage Apps icon from the Apps panel.
- Over the next screen, click on Install app from file. Then, choose the downloaded file and click on Upload.
- Once the upload is complete, a Splunk restart will be prompted to complete the process.
- Post restart of Splunk, the installed app can be seen over the Apps panel of the Splunk Web Home page.
- Login to Splunk web interface.
- Click on Settings and select the Data inputs option.
- Create a data input in Splunk for desired port and protocol. In this scenario, we will use tcp 2812, click on Add new tcp input.
- Enter the desired Port number and click Next.
- As we are receiving Check Point logs on Splunk, it is necessary to choose the Source type as cp_log. Either the Default Index can be used to store the logs or a new index can be created to separate the indexes as required. Click on Review to proceed next.
- Review the settings and click on Submit.
- Now that we have successfully created a data input on Splunk, we can proceed with configuration on Check Point.
- Connect to SSH of the Management Server and login to expert mode.
- In order to configure a new target for the logs do the following on the log server:
cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server IP address> target-port <target-port> protocol <(udp|tcp)> format <(syslog)|(cef)|(splunk)(generic)> [optional arguments]- On MDS/MLM: domain-server argument is mandatory, you can use ‘mds’ as the value for domain-server in order to export mds level audit logs
- This will create a new target directory with the unique name specified in the name parameter under $EXPORTERDIR/targets/<deployment_name>, and set the target configuration parameters with the connection details: IP Address, port, protocol, format and read-mode.
- The recommended read-mode for splunk format is semi-unified which ensures you will get a complete data.
- Note the above deployment will export the logs in clear text.
- The new log exporter does not start automatically. To start it run: cp_log_export restart
cp_log_export Usage
Command Name Command Description add Deploy a new Check Point logs exporter. set Updates an existing exporter’s configuration delete Removes an exporter. show Prints an exporter’s current configuration. status Shows an exporter’s overview status. start Starts an exporter process. stop Stops an exporter process. restart Restarts an exporter process. reexport Resets the current position, and re-exports all logs per the configuration. name Unique name of the exporter configuration. domain-server The relevant domain-server name or IP target-server Exporting the logs to this IP address target-port The port on which the target is listening to protocol Transport protocol to use format The format in which the logs will be exported read-mode The mode in which the log files will be read and exported - In our setup, we shall use the following syntax to enable log export to Splunk:cp_log_export add name splunk target-server 192.168.77.50 target-port 2812 protocol tcp format splunk read-mode semi-unified
- Restart the export instance to make the changes effective.
- The status can be seen with the following commands.
- TCPDUMP output on port 2812.
- The number of events can be seen over the Search tab of the Splunk app.
- Necessary filters can be queried as per the requirement.
- The overview of events can be seen as dashboards under General Overview section of Check Point app for Splunk application.
2. Configuring Data Input on Splunk Server:
3. Configuring Log Exporter on Check Point R80.20:
NOTE: This configuration exports the logs in an unencrypted format. For TLS Configuration steps, please contact us at splunk@qostechnology.in
Nice Document, its perfectly working in my lab
nice artical