Introduction

The main article for Log Exporter is sk122323.

Overview

Check Point "Log Exporter" is an easy and secure method for exporting Check Point logs over the syslog protocol.

Exporting can be done in few standard protocols and formats.

Log Exporter supports:

SIEM applications:

Splunk, LogRhythm, Arcsight, RSA, QRadar, McAfee, rsyslog, ng-syslog, and any other SIEM application that can run a Syslog agent.
Protocols:

Syslog over TCP, Syslog over UDP.
Formats:

Syslog, Splunk, CEF, LEEF, Generic, JSON, LogRhythm, RSA.
Security:

Mutual authentication TLS 1.2.

Log Types:

The ability to export Security logs, Audit logs, or both.

Note - Audit logs exist on both the Management Server and the Log Server.

Filtering:

Choose what to export based on field values. Filter out (do not export) Security Gateway connection logs.
Links to Logs and Log Attachments:

Export links to the relevant log card in SmartView and to the log attachments.

Availability of Features

The table below contains the release information for the features:

Feature / Capability	Description	R81.10 and higher	R81	R80.40	R80.30	R80.20
Filtering	Choose what to export based on field values	Integrated in the release	Integrated in the release	Integrated in the release	Requires R80.30 Jumbo Hotfix Accumulator Take 107 and higher	Requires R80.20 Jumbo Hotfix Accumulator Take 103 and higher
Links to Logs and Log Attachments	Export links to the relevant log card in SmartView and to the log attachments (Forensics / Threat Emulation reports)	Integrated in the release	Integrated in the release	Integrated in the release	Requires R80.30 Jumbo Hotfix Accumulator Take 107 and higher	Requires R80.20 Jumbo Hotfix Accumulator Take 127 and higher
API for Attachment IDs	Export identifiers of attachments for fetching them via Log API	Integrated in the release	Integrated in the release	Requires R80.40 Jumbo Hotfix Accumulator Take 78 and higher	Requires R80.30 Jumbo Hotfix Accumulator Take 217 and higher	Requires R80.20 Jumbo Hotfix Accumulator Take 183 and higher
DNS Name Usage	Configure DNS name (FQDN) as the target-server in addition to IP address	Integrated in the release	Requires R81.10 Jumbo Hotfix Accumulator Take 13 and higher	Requires R80.40 Jumbo Hotfix Accumulator Take 92 and higher	Requires R80.30 Jumbo Hotfix Accumulator Take 228 and higher	Requires R80.20 Jumbo Hotfix Accumulator Take 190 and higher
Reconnection to Load Balancer	Initiate reconnection to load balancer every X minutes (configurable)	Integrated in the release	Requires R81.10 Jumbo Hotfix Accumulator Take 13 and higher	Requires R80.40 Jumbo Hotfix Accumulator Take 92 and higher	Requires R80.30 Jumbo Hotfix Accumulator Take 228 and higher	Requires R80.20 Jumbo Hotfix Accumulator Take 190 and higher

Feature / Capability

Description

R81.10 and higher

R81

R80.40

R80.30

R80.20

Filtering

Choose what to export based on field values

Integrated

in the

release

Integrated

in the

release

Integrated

in the

release

Requires

R80.30 Jumbo Hotfix Accumulator

Take 107

and higher

Requires

R80.20 Jumbo Hotfix Accumulator

Take 103

and higher

Links to Logs and Log Attachments

Export links to the relevant log card in SmartView and to the log attachments (Forensics / Threat Emulation reports)

Integrated

in the

release

Integrated

in the

release

Integrated

in the

release

Requires

R80.30 Jumbo Hotfix Accumulator

Take 107

and higher

Requires

R80.20 Jumbo Hotfix Accumulator

Take 127

and higher

API for Attachment IDs

Export identifiers of attachments for fetching them via Log API

Integrated

in the

release

Integrated

in the

release

Requires

R80.40 Jumbo Hotfix Accumulator

Take 78

and higher

Requires

R80.30 Jumbo Hotfix Accumulator

Take 217

and higher

Requires

R80.20 Jumbo Hotfix Accumulator

Take 183

and higher

DNS Name Usage

Configure DNS name (FQDN) as the target-server in addition to IP address

Integrated

in the

release

Requires

R81.10 Jumbo Hotfix Accumulator

Take 13

and higher

Requires

R80.40 Jumbo Hotfix Accumulator

Take 92

and higher

Requires

R80.30 Jumbo Hotfix Accumulator

Take 228

and higher

Requires

R80.20 Jumbo Hotfix Accumulator

Take 190

and higher

Reconnection to Load Balancer

Initiate reconnection to load balancer every X minutes (configurable)

Integrated

in the

release

Requires

R81.10 Jumbo Hotfix Accumulator

Take 13

and higher

Requires

R80.40 Jumbo Hotfix Accumulator

Take 92

and higher

Requires

R80.30 Jumbo Hotfix Accumulator

Take 228

and higher

Requires

R80.20 Jumbo Hotfix Accumulator

Take 190

and higher

How It Works

Log Exporter is a multi-threaded daemon service, running on a Management Server / Log Server. The Log Exporter daemon reads each log, transforms it into the desired format and mapping, and sends it to the configured target. Therefore, we recommend to deploy the Log Exporter on every server that contains logs to be exported.

On a Multi-Domain Security Management Server / Multi-Domain Log Server, if the Log Exporter is deployed on several Domains, each Domain Management Server has its Log Exporter daemon. If you are exporting the logs to several targets, each target have its Log Exporter daemon.

The Log Exporter is implemented as the "ETL" procedure:

Extract - Reads incoming logs from the Security Gateway, stored in local files.
Transform - Changes the logs according to configuration files (both exported format and field name/values, removing irrelevant fields).
Load - Sends the logs to the configured target server over the TCP Syslog / UDP Syslog (takes into consideration the filter configuration, if it exists).
Data integrity - Log Exporter stops exporting when disconnected from the 3rd party server and remembers the last position exported. After the connection is established again, the Log Exporter automatically starts exporting logs from the last known position.

The Log Exporter is exporting both online and offline (if any) logs in parallel. If the 3rd-party server is slow, the Log Exporter reduces the offline exporting rate to prioritize the online logs over the offline logs.