Exporting Logs

Check Point Log Exporter is an easy and secure method to export Check Point logs over syslog. Log Exporter is a multi-threaded daemon service which runs on a log server. Each log that is written on the log server is read by the Log Exporter daemon. It is then transformed into the applicable format and mapping and sent to the end target.

For more information, see sk122323.

To export logs from Harmony Browse:

1. Go to Endpoint Settings > Export Events.

2. Click Add.

   The New Logging Service window opens.

3. Fill in the export details:

   • Name - Enter a name for the exported information.

   • IP Address - Enter the IP Address of the target to which the logs are exported.

   • Protocol - Select the protocol over which to export the logs: TCP or UDP.

   • Format - Select the export format.

   • Port - Select the port over which to export the logs. Only these ports are supported for outgoing communication: 514, 6514, 443.

   • TLS/SSL - Select this checkbox if you want log information to be TLS/SSL encrypted. The only allowed authentication method through TLS is mutual authentication. For mutual authentication, the log exporter needs these certificates:

     • A *.pem Certificate Authority certificate (must contain only the certificate of the CA that signed the client/server certificates, not the parent CA).

     • A *.p12 format client certificate (log exporter side).

     For instructions on how to create the certificates, see Creating Security Certificates for TLS Mutual Authentication.

4. Click Add.

Creating Security Certificates for TLS Mutual Authentication

This section explains how to create self-signed security certificates for mutual authentication.

Notes: Make sure to run the openssl commands on a 3rd party CA server (not on the log exporter device). The log exporter device must have a connectivity to the CA server. The commands are not supported on a Check Point Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or a Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS..

Procedure

1. Create a CA certificate

   Step	Description
   1	Generate the self-signed root CA key: openssl genrsa -out ca.key 2048
   2	Generate the root CA certificate file in the PEM format: openssl req -x509 -new -nodes -key ca.key -days 2048 -out ca.pem Enter the information regarding the certificate. This information is known as a Distinguished Name (DN). An important field in the DN is the Common Name(CN), which should be the exact Fully Qualified Domain Name (FQDN) of the host, with which you intend to use the certificate. Apart from the Common Name, all other fields are optional and you can skip it. If you purchase an SSL certificate from a certificate authority, it is often required that these additional fields, such as "Organization", accurately reflect your organization's details. Best Practice - Use the device IP address as the Common Name.

2. Create a client certificate

   Step	Description
   1	Generate a client key: openssl genrsa -out cp_client.key 2048
   2	Generate a client certificate sign request: openssl req -new -key cp_client.key -out cp_client.csr
   3	Sign the certificate using the CA certificate files: openssl x509 -req -in cp_client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out cp_client.crt -days 2048 -sha256
   4	Convert the certificate to the P12 format: openssl pkcs12 -inkey cp_client.key -in cp_client.crt -export -out cp_client.p12 Note - The challenge phrase used in this conversion is required in the cp_client TLS configuration.

3. Update the security parameters on the Check Point exporting server

   Step	Description
   1	On a Multi-Domain Server or Multi-Domain Log Server Dedicated Check Point server that runs Check Point software to store and process logs in a Multi-Domain Security Management environment. The Multi-Domain Log Server consists of Domain Log Servers that store and process logs from Security Gateways that are managed by the corresponding Domain Management Servers. Acronym: MDLS., go to the context of the applicable Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or Domain Log Server Dedicated Check Point server that runs Check Point software to store and process logs.: If you run on a Multi-Domain Log Server/Multi-Domain Log Server, run this command to switch to the required domain: mdsenv <Name or IP Address of Domain Management Server or Domain Log Server>
   2	Go to the deployment directory: cd $EXPORTERDIR/targets/<Deployment Name>/
   3	Create a directory for the certificate files: mkdir -v certs
   4	Copy the ca.pem and cp_client.p12 certificate files to the $EXPORTERDIR/targets/<Deployment Name>/certs/ directory. Note - The ca.key must not be published.
   5	Assign the read permissions to the ca.pem and cp_client.p12 certificate files: chmod -v +r ca.pem chmod -v +r cp_client.p12
   6	Update the secured target: cp_log_export set name <Name> domain-server <Domain-Server> encrypted true ca-cert <Full Path to CA Certificate *.pem File> client-cert <Full Path to *.p12 Certificate File> client-secret <Challenge Phrase for the *.p12 File>

4. Create a server (target) certificate

   Step	Description
   1	Generate a server key: openssl genrsa -out server.key 2048
   2	Generate a server certificate sign request: openssl req -new -key server.key -out server.csr
   3	Sign the certificate using the CA certificate files: openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.crt -days 2048 -sha256

   Note - Some SIEM applications require the server certification to be in a specific format. For more information, refer to SIEM Specific Instructions section (sk122323).