Appendix

Special Log Fields

Field

Description

loguid

Some Check Point logs are updated over time.

Update logs have the same loguid value.

Check Point SmartEvent correlates those updates into a single unified log.

When sending update logs to 3rd party (SIEM) servers, in raw read-mode, they arrive as distinct logs.

Best use the semi-unified read-mode, which sends few instances of the log, but each instance contains the entire event chain until this update.

Administrators can alternatively use the loguid field to correlate update logs and get the full event chain themselves.

Note - All related logs & log-updates share the same initial time as the 1st log (in semi-unified mode).

Example of update logs includes the total number of bytes sent and received over time or the severity field which is updated over time as more information becomes available.

hll_key

Stands for High-Level Log key.

This concept was introduced in the R80.10 release, where multiple connection logs can comprise one session with one shared "hll_key".

For example, when browsing a webpage, you might have multiple connection logs which are related to the same session.

Connection logs which are part of the same session share the same "hll_key" value.

Configuration for Syslog-NG Listener

When configuring a source on a Syslog NG server it is recommended to use the syslog-protocol flag.

For example:

source s_network { network(transport("tcp") port(514) flags(syslog-protocol) ); };

Configuration for Splunk Listener

It is recommended to add these time settings to your source type:

TIME_FORMAT = %s
TIME_PREFIX = time=
MAX_TIMESTAMP_LOOKAHEAD = 15

Configuration for ArcSight Listener

The Log Exporter solution does not work with the OPSEC LEA connector.

Instead, you must install the ArcSight Syslog-NG connector.

Mapping for the ArcSight Common Event Format (CEF)

CEF is an extensible, text-based format designed to support multiple device types by offering the most relevant information. Message syntaxes are reduced to work with ESM normalization. Specifically, CEF defines a syntax for log records comprised of a standard header and a variable extension, formatted as key-value pairs. The CEF format can be used with on-premise devices by implementing the ArcSight Syslog SmartConnector. CEF can also be used by cloud-based service providers by implementing the SmartConnector for ArcSight Common Event Format REST.

CEF Header format

	Version	Device Vendor	Device Product	Device Version	Device Event Class ID	Name	Severity
Default	CEF:0	Check Point	Log Update	Check Point	Log	Log	0
Values	-	-	Product Name (Blade)	-	Attack Name Protection Type Verdict Matched Category DLP Data Type Application Category Application Properties	Protection Name Application Name Message Info Service ID Service	Application Risk Risk Severity

Version

Device Vendor

Device Product

Device Version

Device Event Class ID

Name

Severity

Default

CEF:0

Check Point

Log Update

Check Point

Log

Values

Product Name (Blade)

Attack Name

Protection Type

Verdict

Matched Category

DLP Data Type

Application Category

Application Properties

Protection Name

Application Name

Message Info

Service ID

Service

Application Risk

Risk

Severity

Mapping for the QRadar Log Event Extended Format (LEEF)

The Log Event Extended Format (LEEF) is a customized event format for IBM Security QRadar.

LEEF Header format

	LEEF:Version	Vendor	Product	Version	EventID
Default	LEEF:2.0	Check Point	Log Update	1.0	Check Point Log
Values	-	-	Product Name (Blade)	-	Protection Name Application Name Action

LEEF:Version

Vendor

Product

Version

EventID

Default

LEEF:2.0

Check Point

Log Update

1.0

Check Point Log

Values

Product Name (Blade)

Protection Name

Application Name

Action

Note - The time format is not compliant with the official LEEF format.

Until the time IBM adds support for Epoch time format, Log Exporter with the LEEF format is supported only partially.