In This Section: |
You can import these third-party log formats to a Check Point Log Server:
The Log Server converts the third-party log messages to a Check Point log. The log is then available for further analysis by SmartEvent.
Many third-party devices use the syslog format for logging. The Log Server reformats the raw data to the Check Point log format to process third-party syslog messages.
The Log Server uses a syslog parser to convert syslog messages to the Check Point log format.
To import syslog messages, define your own syslog parser and install it on the Log Server.
SmartEvent can take the reformatted logs and convert them into security events.
To import syslog messages from products and vendors that are not supported out-of-the-box, see sk55020. This shows you how to:
After you imported the syslog messages to the Log Server, you can see them in SmartConsole, in the Logs & Monitor > Logs tab.
Note - Make sure that Access Control rules allow ELA traffic between the Syslog computer and the Log Server.
After you imported the syslog messages to the Log Server, you can forward them to SmartEvent Server (and other OPSEC LEA clients), as other Check Point logs. SmartEvent convert the syslog messages into security events.
To configure the SmartEvent Server to read logs from this Log Server:
Check Point Windows Event Service is a Windows service application. It reads events from the Windows server and other configured Windows computers, converts them to Check Point logs, and places the data in the Check Point Log Server. The Log Server processes this data. The process can only be installed on a Windows computer, but it does not have to be the computer that runs Log Server. Therefore, Windows events can be processed even if the Log Server is installed on a different platform.
To convert Windows events into Check Point logs:
WinEventToCPLog
from the Check Point Support Center.An administrator user name and password are necessary. The administrator name is one of these:
WinEventToCPLog
uses Microsoft APIs to read events from Windows operating system event files. To see these files, use the Windows Event Viewer.
WinEventToCPLog
can read event files on the local machine, and can read log files from remote machines with the right privileges. This is useful when you make a central WinEventToCPLog
server that forwards multiple Window hosts events to a Check Point Log server.
To set the privileges, invoke WinEventToCPLog -s
to specify an administrator login and password.
These are the ways to access the files on a remote machine:
WinEventToCPLog
.WinEventToCPLog
as an administrator in the domain. This administrator can access all of the machines in the domain.This shows how to send Windows events to the Log Server. For advanced Windows event configuration, see sk98861.
In SmartConsole, create an OPSEC object for Windows Event Service.
To create an OPSEC object for windows event service:
The OPSEC Applications Properties window shows.
The system must report the trust status as Initialized but trust not established.
Note - Make sure that Access Control rules allow ELA traffic between the Windows computer and the Log Server.
Note - Make sure that Access Control rules allow ELA traffic between the Windows computer and the Log Server.
On the Windows host, configure the Windows service to send logs to Log Server.
To configure the Windows service:
C:\Program Files\CheckPoint\WinEventToCPLog\R65\bin
On 64 bit computers the path starts with C:\Program files (x86)
.
windowEventToCPLog -pull_cert
Establish trust between the Security Management Server and the windows host.
To establish trust:
On each machine that sends Windows Events, configure the Windows Audit Policy.
To configure the windows audit:
C:\Program Files\CheckPoint\WinEventToCPLog\R65\bin
.On 64 bit computers, the path starts with C:\Program files (x86)
.
windowEventToCPLog -l <ipaddr>, where <ipaddr> is the IP address of the Log Server that receives the Windows Events.
windowEventToCPLog -a <ipaddr>, where <ipaddr> is the IP address of each machine that sends Windows Events.
windowEventToCPLog -s, where you are prompted for an administrator name and the administrator password that to be registered with the windowEventToCPLog service.
The administrator that runs the windowEventToCPLog service must have permissions to access and read logs from the IP addressed defined in this procedure. This is the IP address of the computer that sends Windows events.
SNMP (Simple Network Management Protocol) is an Internet standard protocol. SNMP is used to send and receive management data, protocol data units (PDUs), to network devices. SNMP-compliant devices, called agents, keep data about themselves in Management Information Bases (MIBs) and resend this data to the SNMP requesters.
Network management applications use SNMP and the supported MIB to query a management agent. The Check Point SNMP implementation lets an SNMP manager monitor the system and modify selected objects only. You can define and change one read‑only community string and one read‑write community string. You can set, add, and delete trap receivers and enable or disable various traps. You can also enter the location and contact strings for the system.
Check Point platforms support SNMP v1, v2, and v3. An SNMP manager use GetRequest
, GetNextRequest
, GetBulkRequest
, and a specified number of traps to monitor a device. The Check Point implementation supports SetReques
t to change these attributes: sysContact
, sysLocation
, and sysName
. You must configure read-write permissions for set
operations to work.
The SNMP Best Practices Guide covers these topics: