Configuring SmartEvent to use a Non-Standard LEA Port

You can get logs from and send logs to a third-party Log Server Dedicated Check Point server that runs Check Point software to store and process logs.. The Check Point Log Server and the third party Log Server use the LEA (Log Export API) protocol to read logs. By default, the Check Point Log Server uses port 18184 for this connection. If you configure the Log Server to use a different LEA port, you must manually configure the new port on the SmartEvent Server Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database. and on the SmartEvent Correlation Unit SmartEvent software component on a SmartEvent Server that analyzes logs and detects events..

Note - This procedure is not relevant if you use Log Exporter

To change the default LEA port:

1. Open $INDEXERDIR/log_indexer_custom_settings.conf in a text editor.

2. Add this line to the file:

   :lea_port (<new_port_number>)

3. Save the changes in the file and exit the editor.

4. In the SmartEvent client, configure the new port on the Correlation Unit.

5. In Policy tab > Correlation Units, configure the Correlation Unit to read logs from the local Log Server (on the SmartEvent Server).

6. Configure the new port on the SmartEvent Server

   1. In Policy tab > Network Objects, double-click the SmartEvent Server object.

   2. Change the LEA port No parameter to <new_port_number>.

7. Install the Event Policy Set of rules that define the behavior of SmartEvent. on the Correlation Unit: Actions > Install Event Policy

8. On the SmartEvent Server

   1. Run: cpstop

   2. Open $FWDIR/conf/fwopsec.conf in a text editor.

   3. Change these parameters:

      lea_server auth_port <new_port_number>
lea_server port 0

   4. Save the changes in the file and exit the editor.

   5. Run: cpstart