Exporting Logs

Check Point Log Exporter is an easy and secure method to export Check Point logs over syslog. Log Exporter is a multi-threaded daemon service which runs on a log server. Each log that is written on the log server is read by the Log Exporter daemon. It is then transformed into the applicable format and mapping and sent to the end target.

For more information, see sk122323.

To export logs from Harmony Endpoint:

  1. Go to Endpoint Settings > Export Events.

  2. Click Add.

    The New Logging Service window opens.

  3. Fill in the export details:

    • Name - Enter a name for the exported information.

    • IP Address - Enter the IP Address of the target to which the logs are exported.

    • Protocol - Select the protocol over which to export the logs: TCP or UDP.

    • Format - Select the export format.

    • Port - Select the port over which to export the logs. Only these ports are supported for outgoing communication: 514, 6514.

    • TLS/SSL - Select this checkbox if you want log information to be TLS/SSL encrypted. The only allowed authentication method through TLS is mutual authentication. For mutual authentication, the log exporter needs these certificates:

      • A *.pem Certificate Authority certificate (must contain only the certificate of the CA that signed the client/server certificates, not the parent CA).

      • A *.p12 format client certificate (log exporter side).

      For instructions on how to create the certificates, see Creating Security Certificates for TLS Mutual Authentication.

  4. Click Add.

Creating Security Certificates for TLS Mutual Authentication

This section explains how to create self-signed security certificates for mutual authentication.

Notes:

Procedure

  1. Step Description
    1

    Generate the self-signed root CA key:

    openssl genrsa -out ca.key 2048

    2

    Generate the root CA certificate file in the PEM format:

    openssl req -x509 -new -nodes -key ca.key -days 2048 -out ca.pem

    Enter the information regarding the certificate.

    This information is known as a Distinguished Name (DN).

    An important field in the DN is the Common Name(CN), which should be the exact Fully Qualified Domain Name (FQDN) of the host, with which you intend to use the certificate.

    Apart from the Common Name, all other fields are optional and you can skip it.

    If you purchase an SSL certificate from a certificate authority, it is often required that these additional fields, such as "Organization", accurately reflect your organization's details.

    Best Practice - We recommend to use the device IP address as the Common Name.
  2. Step Description
    1

    Generate a client key:

    openssl genrsa -out cp_client.key 2048

    2

    Generate a client certificate sign request:

    openssl req -new -key cp_client.key -out cp_client.csr

    3

    Sign the certificate using the CA certificate files:

    openssl x509 -req -in cp_client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out cp_client.crt -days 2048 -sha256

    4

    Convert the certificate to the P12 format:

    openssl pkcs12 -inkey cp_client.key -in cp_client.crt -export -out cp_client.p12

    Note - The challenge phrase used in this conversion is required in the cp_client TLS configuration.
  3. Step Description
    1

    Generate a server key:

    openssl genrsa -out server.key 2048

    2

    Generate a server certificate sign request:

    openssl req -new -key server.key -out server.csr

    3

    Sign the certificate using the CA certificate files:

    openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.crt -days 2048 -sha256

    Note - Some SIEM applications require the server certification to be in a specific format. For more information, refer to SIEM Specific Instructions section (sk122323).