Third-Party Log Formats

In This Section: Importing Syslog Messages Importing Windows Events Working with SNMP

You can import these third-party log formats to a Check Point Log Server:

• Syslog messages.
• Windows Events.
• SNMP Traps.

The Log Server converts the third-party log messages to a Check Point log. The log is then available for further analysis by SmartEvent.

Importing Syslog Messages

Many third-party devices use the syslog format for logging. The Log Server reformats the raw data to the Check Point log format to process third-party syslog messages.

The Log Server uses a syslog parser to convert syslog messages to the Check Point log format.

To import syslog messages, define your own syslog parser and install it on the Log Server.

SmartEvent can take the reformatted logs and convert them into security events.

Generating a Syslog Parser and Importing syslog Messages

To import syslog messages from products and vendors that are not supported out-of-the-box, see sk55020. This shows you how to:

1. Import some sample syslog messages to the Log Parsing Editor.
2. Define the mapping between syslog fields and the Check Point log fields.
3. Install the syslog parser on the Log Server.

After you imported the syslog messages to the Log Server, you can see them in SmartConsole, in the Logs & Monitor > Logs tab.

Note - Make sure that Access Control rules allow ELA traffic between the Syslog computer and the Log Server.

Configuring SmartEvent to Read Imported Syslog Messages

After you imported the syslog messages to the Log Server, you can forward them to SmartEvent Server (and other OPSEC LEA clients), as other Check Point logs. SmartEvent convert the syslog messages into security events.

To configure the SmartEvent Server to read logs from this Log Server:

1. Configure SmartEvent to read logs from the Log Server.
2. In SmartEvent or in the SmartConsole event views, make a query to filter by the Product Name field. This field uniquely identifies the events that are created from the syslog messages.

Importing Windows Events

Check Point Windows Event Service is a Windows service application. It reads events from the Windows server and other configured Windows computers, converts them to Check Point logs, and places the data in the Check Point Log Server. The Log Server processes this data. The process can only be installed on a Windows computer, but it does not have to be the computer that runs Log Server. Therefore, Windows events can be processed even if the Log Server is installed on a different platform.

How Windows Event Service Works

To convert Windows events into Check Point logs:

1. Download the Windows Event Service agent WinEventToCPLog from the Check Point Support Center.
2. Install the service agent on a Windows server.

   An administrator user name and password are necessary. The administrator name is one of these:

   • A domain administrator responsible for the endpoint computer
   • A local administrator on the endpoint computer
3. Create SIC between the Windows server and the management.
4. Configure the Windows server to collect Windows events from required computers.

Administrator Support for WinEventToCPLog

WinEventToCPLog uses Microsoft APIs to read events from Windows operating system event files. To see these files, use the Windows Event Viewer.

WinEventToCPLog can read event files on the local machine, and can read log files from remote machines with the right privileges. This is useful when you make a central WinEventToCPLog server that forwards multiple Window hosts events to a Check Point Log server.

To set the privileges, invoke WinEventToCPLog -s to specify an administrator login and password.

These are the ways to access the files on a remote machine:

• To define a local administrator on the remote machine that their name matches the name registered with WinEventToCPLog.
• To define the administrator registered with WinEventToCPLog as an administrator in the domain. This administrator can access all of the machines in the domain.

Sending Windows Events to the Log Server

This shows how to send Windows events to the Log Server. For advanced Windows event configuration, see sk98861.

Creating an OPSEC object for Windows Event Service

In SmartConsole, create an OPSEC object for Windows Event Service.

To create an OPSEC object for windows event service:

1. From the Object Explore, click New > Server > OPSEC Application > Application.

   The OPSEC Applications Properties window shows.

2. Enter the name of the application that sends log files to the Log Server.
3. Click New to create a Host.
4. Enter an object name and the IP address of the machine that runs WinEventToCPLog.
5. Click OK.
6. Below Client Entities, select ELA.
7. Select Communication.
8. Enter an Activation Key, enter it again in the confirmation line, and keep a record of it for later use.
9. Click Initialize.

   The system must report the trust status as Initialized but trust not established.

10. Click Close.
11. Click OK.
12. Click Publish to save the database.

    Note - Make sure that Access Control rules allow ELA traffic between the Windows computer and the Log Server.

Note - Make sure that Access Control rules allow ELA traffic between the Windows computer and the Log Server.

Configuring the Windows service

On the Windows host, configure the Windows service to send logs to Log Server.

To configure the Windows service:

1. Install the WinEventToCPLog package from the Check Point Support Center.
2. When the installation completes, restart the computer.
3. Open a command prompt window and go to this location:

   C:\Program Files\CheckPoint\WinEventToCPLog\R65\bin

   On 64 bit computers the path starts with C:\Program files (x86).

4. Run: windowEventToCPLog -pull_cert
   1. Enter the IP address of the management server.
   2. Enter the name of the corresponding OPSEC Application object that you created in SmartConsole for the Windows events.
   3. Enter the Activation Key of the OPSEC object.
5. Restart the Check Point Windows Event Service.

Establishing Trust

Establish trust between the Security Management Server and the windows host.

To establish trust:

1. Edit the OPSEC Application that you created in SmartConsole for the Windows events.
2. Select Communication.
3. Make sure that the trust status is Trust Established.
4. Click Publish to save the database.

Configuring the Windows Audit Policy

On each machine that sends Windows Events, configure the Windows Audit Policy.

To configure the windows audit:

1. From the Start menu, select: Settings > Control Panel > Administrative Tools > Local Security Policy > Local Policies > Audit Policy.
2. Make sure that the Security Setting for the Policy Audit Logon Events is set to Failure. If not, double-click it and select Failure.
3. Open a command prompt window and go to this path:
   C:\Program Files\CheckPoint\WinEventToCPLog\R65\bin.

   On 64 bit computers, the path starts with C:\Program files (x86).

4. Run these commands:

   windowEventToCPLog -l <ipaddr>, where <ipaddr> is the IP address of the Log Server that receives the Windows Events.

   windowEventToCPLog -a <ipaddr>, where <ipaddr> is the IP address of each machine that sends Windows Events.

   windowEventToCPLog -s, where you are prompted for an administrator name and the administrator password that to be registered with the windowEventToCPLog service.

   The administrator that runs the windowEventToCPLog service must have permissions to access and read logs from the IP addressed defined in this procedure. This is the IP address of the computer that sends Windows events.

5. When you configure windowEventToCPLog to read Windows events from a remote machine, log in as the administrator. This makes sure that the administrator can access remote computer events.
6. Use the Microsoft Event Viewer to read the events from the remote machine.

Working with SNMP

SNMP (Simple Network Management Protocol) is an Internet standard protocol. SNMP is used to send and receive management data, protocol data units (PDUs), to network devices. SNMP-compliant devices, called agents, keep data about themselves in Management Information Bases (MIBs) and resend this data to the SNMP requesters.

Network management applications use SNMP and the supported MIB to query a management agent. The Check Point SNMP implementation lets an SNMP manager monitor the system and modify selected objects only. You can define and change one read‑only community string and one read‑write community string. You can set, add, and delete trap receivers and enable or disable various traps. You can also enter the location and contact strings for the system.

Check Point platforms support SNMP v1, v2, and v3. An SNMP manager use GetRequest, GetNextRequest, GetBulkRequest, and a specified number of traps to monitor a device. The Check Point implementation supports SetRequest to change these attributes: sysContact, sysLocation, and sysName. You must configure read-write permissions for set operations to work.

For more information, see R80.20.M1 Gaia Administration Guide and sk90860: How to configure SNMP on Gaia OS.