Print Download PDF Send Feedback

Previous

Next

Defining Correlation Units and Log Servers for SmartEvent

  1. From the Policy view of the SmartEvent Intro client, select General Settings > Initial Settings > Correlation Units.
  2. Select Add.
  3. Click the button of the Correlation Unit field.
  4. In the Select Objects window, select a Correlation Unit.
  5. Click OK.
  6. Click Add and select the Log Servers available as data sources to the Correlation Unit.

    Note - In a Multi-Domain Security Management environment, add the Log Servers for each Domain Management Server.

  7. Select Save.
  8. From the Actions menu, select Install Event policy.

At this point, SmartEvent Intro will begin to read logs and detect events.

To learn how to manage and fine-tune the system using the SmartEvent Intro Client, see the SmartEvent Administration Guide for your software version on the Check Point Support Center.

Incorporating Third-Party Devices

Syslog Devices

Various third-party devices use the syslog format for logging. SmartEvent and SmartReporter can process third-party syslog messages by reformatting the raw data. As the reformatting process should take place on the SmartEvent or SmartReporter computer, it is recommended to enable a Log Server on one of them. Direct all third-party syslog traffic to this Log Server.

  1. Connect to the Management server using SmartDashboard and edit the properties of the SmartEvent or SmartReporter object. For that object only, enable the property Log Server under Check Point Products. For the purposes of this section, this object will be referred to as the "syslog Log Server."
  2. Open Logs and Masters > Additional Logging.
  3. Enable the property Accept Syslog messages.
  4. To enable the Log Server properties on the SmartEvent Server, select SmartDashboard > Policy > Install Database. Select the SmartEvent Server as one of the targets.
  5. On the third-party device, configure syslogs to be sent to the syslog Log Server.
  6. On the Management server, create this rule in the Rule Base.
    • Source - Third-party devices that issue syslog messages
    • Destination - syslog Domain Log Server
    • Service - UDP syslog
  7. On the SmartEvent client, add the syslog Domain Log Server to a SmartEvent Correlation Unit, if not already enabled.
  8. Install the Event Policy on the SmartEvent Server.
  9. Reboot the syslog Log Server.

Windows Events

Check Point Windows Event Service is a Windows service application. It reads Windows events, normalizes the data, and places the data in the Check Point Log Server. SmartEvent processes this data. The process can only be installed on a Windows machine, but it does not have to be a machine running SmartEvent. Thus, Windows events can be processed even if SmartEvent is installed on a different platform.

How Windows Event Service Works

Check Point Windows Event Service is given the addresses of Windows computers that it will read and the address of a Log Server to which it will write. It reads a Windows event at a time, converts the fields of the event according to configuration files and stores the Windows event as a log in the Log Server.

Check Point Windows Event Service is first installed as a service on the user machine and the user provides a user name and password. The user name can be a domain administrator responsible for the endpoint computer or a local administrator on the endpoint computer.

Check Point Windows Event Service requires trust to be established so it can communicate with the Log Server.

Sending Windows Events to SmartEvent

In SmartDashboard, create an OPSEC object for Windows Event Service:

  1. Open Manage > Servers and OPSEC Applications.

    The Servers and OPSEC Applications window appears.

  2. Select New > OPSEC Application.
  3. Enter the name of the application that will send log files to SmartEvent.
  4. Click on New to create a Host.
  5. Enter a name and the IP address of the machine that will run WinEventToCPLog, and click OK.
  6. Under Client Entities, select ELA.
  7. Select Communication.
  8. Enter an Activation Key, repeat it in the confirmation line, and keep a record of it for later use.
  9. Click Initialize. The system should report the trust state as Initialized but trust not established.
  10. Click Close.
  11. Click OK.

From the File menu, select Save.

Note - Make sure that Firewall rules allow ELA traffic between the Windows computer and the Log Server.

On the Windows host, configure the Windows service to send logs to SmartEvent:

  1. Install the WinEventToCPLog package from the Check Point DVD.
  2. When the installation completes, restart the machine.
  3. Open a command prompt window and go to this location:

    C:\Program Files\CheckPoint\WinEventToCPLog\R65\bin

    On 64 bit computers the path starts with C:\Program files (x86).

  4. Run: windowEventToCPLog -pull_cert
    1. Enter the IP address of the management server.
    2. Enter the name of the corresponding OPSEC Application object that you created in SmartDashboard for the Windows events.
    3. Enter the Activation Key of the OPSEC object.
  5. Restart the Check Point Windows Event Service.
  6. If this machine is running a log server then install the Event Policy on this machine.

In the SmartDashboard, establish trust relationship between the Security Management Server and the Windows Host:

  1. Edit the OPSEC Application that you created in SmartDashboard for the Windows events.
  2. Select Communication and verify that the trust state is Trust Established.
  3. From the Policy menu, select Install Database.

On Each Machine that will send Windows Events, configure the Windows Audit Policy:

  1. From the Start menu, select Settings > Control Panel > Administrative Tools > Local Security > Policy > Local Policies > Audit Policy.
  2. Make sure that the Security Setting for the Policy Audit Logon Events is set to Failure. If not, double click and select Failure.
  3. Open a command prompt window and go to this path:
    C:\Program Files\CheckPoint\WinEventToCPLog\R65\bin.

    On 64 bit computers, the path starts with C:\Program files (x86).

  4. Run the following commands:

    windowEventToCPLog -l <ipaddr>, where <ipaddr> is the IP address of the Log Server that will receive the Windows Events.

    windowEventToCPLog -a <ipaddr>, where <ipaddr> is the IP address of each machine that will send Windows Events.

    windowEventToCPLog -s, where you will be prompted for an administrator name and the administrator password that to be registered with the windowEventToCPLog service.

The administrator that runs the windowEventToCPLog service must have permissions to access and read logs from the IP addressed defined in this procedure. This is the IP address of the computer that sends Windows events.

When you configure windowEventToCPLog to read Windows events from a remote machine, make sure that the administrator can access remote computer events. To do this, log in as the administrator on and try to read the events from the remote machine using the Microsoft Event Viewer.

SNMP Traps

To convert SNMP traps to the cplog format, the machine must first be registered as a server that accepts SNMP traps. Run the following commands on a SmartEvent computer:

  1. snmpTrapToCPLog -r
  2. For each machine from which you want to read SNMP traps: snmpTrapToCPLog -a IPaddress
  3. cpstop
  4. cpstart
04 June 2017 © 2017 Check Point Software Technologies Ltd. All rights reserved.