Appendix

Special log fields

loguid - Some Check Point logs are updated over time. Updated logs have the same loguid value. Check Point SmartLog client correlates those updates into a single unified log. When the update logs are sent to 3rd party servers, they arrive as distinct logs. Administrators can use the loguid field to correlate updated logs and get the full event chain.

Note - Log Exporter's new semi-unified mode correlates all previous logs into one, so the latest log always shows the complete data.

An example of updated logs includes the total amount of bytes sent and received over time or the severity field which is updated over time as more information becomes available.

hll_key (High Level Log key) - This concept was introduced in R80.10. Multiple connection logs can comprise one session with one shared hll_key. For example, when you browse to a webpage, you may have multiple connection logs which are related to the same session. Connection logs which are part of the same session share the same hll_key value.

Syslog-NG Listener configuration

We recommend you use the syslog-protocol flag when you configure a source on a Syslog NG server.

For example: source s_network { network(transport("tcp") port(514) flags(syslog-protocol) ); };

Splunk Listener configuration

We recommend that you add these time settings to your sourcetype:

TIME_FORMAT = %s
TIME_PREFIX = time=
MAX_TIMESTAMP_LOOKAHEAD = 15

ArcSight Listener configuration

The Log Exporter solution does not work with the OPSEC LEA connector. Instead, you must install the ArcSight Syslog-NG connector.

ArcSight Common Event Format (CEF) Mapping

CEF is an extensible, text-based format that supports multiple device types by offering the most relevant information. Message syntaxes are reduced to work with ESM normalization. Specifically, CEF defines a syntax for log records comprised of a standard header and a variable extension, formatted as key-value pairs. The CEF format can be used with on-premises devices by implementing the ArcSight Syslog SmartConnector. CEF can also be used by cloud-based service providers by implementing the SmartConnector for ArcSight Common Event Format REST.

CEF Header format

	Version	Device Vendor	Device Product	Device Version	Device Event Class ID	Name	Severity
Default	CEF:0	Check Point	Log Update	Check Point	Log	Log	0
Values	-	-	Product Name (Blade)	-	Attack Name Protection Type Verdict Matched Category DLP Data Type Application Category Application Properties	Protection Name Application Name Message Info Service ID Service	Application Risk Risk Severity

Version

Device Vendor

Device Product

Device Version

Device Event Class ID

Name

Severity

Default

CEF:0

Check Point

Log Update

Check Point

Log

Values

Product Name (Blade)

Attack Name
Protection Type
Verdict
Matched Category
DLP Data Type
Application Category
Application Properties

Protection Name
Application Name
Message Info
Service ID
Service

Application Risk
Risk
Severity

QRadar Log Event Extended Format (LEEF) Mapping

The LEEF is a customized event format for IBM Security QRadar.

LEEF Header Format

	LEEF: Version	Vendor	Product	Version	EventID
Default	LEEF:2.0	Check Point	Log Update	1.0	Check Point Log
Values	-	-	Product Name (Blade)	-	Protection Name Application Name Action

Note - The time format is not compliant with the official LEEF format.

As there is currently no epoch time format, Log Exporter with LEEF format is only partially supported.