Third-Party Log Formats

You can import these third-party log formats to a Check Point Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs.:

  • Syslog messages.

  • Windows Events.

  • SNMP Traps.

The Log Server converts the third-party log messages to a Check Point log. The log is then available for further analysis by SmartEvent.

Importing Syslog Messages

Many third-party devices use the syslog format for logging. The Log Server reformats the raw data to the Check Point log format to process third-party syslog messages.

The Log Server uses a syslog parser to convert syslog messages to the Check Point log format.

To import syslog messages, define your own syslog parser and install it on the Log Server.

SmartEvent can take the reformatted logs and convert them into security events.

Generating a Syslog Parser and Importing syslog Messages

To import syslog messages from products and vendors that are not supported out-of-the-box, see sk55020. This shows you how to:

  1. Import some sample syslog messages to the Log Parsing Editor.

  2. Define the mapping between syslog fields and the Check Point log fields.

  3. Install the syslog parser on the Log Server.

After you imported the syslog messages to the Log Server, you can see them in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., in the Logs & Monitor > Logs tab.

Note - Make sure that Access Control rules allow ELA traffic between the Syslog computer and the Log Server.

Configuring SmartEvent to Read Imported Syslog Messages

After you imported the syslog messages to the Log Server, you can forward them to SmartEvent ServerClosed Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database. (and other OPSEC LEA clients), as other Check Point logs. SmartEvent converts the syslog messages into security events.

To configure the SmartEvent Server to read logs from this Log Server:

  1. Configure SmartEvent to read logs from the Log Server.

  2. In SmartEvent or in the SmartConsole eventClosed Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. views, make a query to filter by the Product Name field. This field uniquely identifies the events that are created from the syslog messages.

Importing Windows Events

Check Point Windows Event Service is a Windows service application. It reads events from the Windows server and other configured Windows computers, converts them to Check Point logs, and places the data in the Check Point Log Server. The Log Server processes this data. The process can only be installed on a Windows computer, but it does not have to be the computer that runs Log Server. Therefore, Windows events can be processed even if the Log Server is installed on a different platform.

How Windows Event Service Works

To convert Windows events into Check Point logs:

  1. Download the Windows Event Service agent WinEventToCPLog from the Check Point Support Center.

  2. Install the service agent on a Windows server.

    An administrator user name and password are necessary. The administrator name is one of these:

    • A domain administrator responsible for the endpoint computer

    • A local administrator on the endpoint computer

  3. Create SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. between the Windows server and the management.

  4. Configure the Windows server to collect Windows events from required computers.

Administrator Support for WinEventToCPLog

WinEventToCPLog uses Microsoft APIs to read events from Windows operating system event files. To see these files, use the Windows Event Viewer.

WinEventToCPLog can read event files on the local machine, and can read log files from remote machines with the right privileges. This is useful when you make a central WinEventToCPLog server that forwards multiple Window hosts events to a Check Point Log Server.

To set the privileges, invoke the "WinEventToCPLog -s" to specify an administrator login and password.

These are the ways to access the files on a remote machine:

  • To define a local administrator on the remote machine that their name matches the name registered with WinEventToCPLog.

  • To define the administrator registered with WinEventToCPLog as an administrator in the domain. This administrator can access all of the machines in the domain.

Sending Windows Events to the Log Server

This section describes how to send Windows events to the Log Server. For advanced Windows event configuration, see sk98861.

Creating an OPSEC Object for Windows Event Service

In SmartConsole, create an OPSEC object for Windows Event Service.

To create an OPSEC object for windows event service:

  1. From the Object Explore, click New > Server > OPSEC Application > Application.

    The OPSEC Applications Properties window shows.

  2. Enter the name of the application that sends log files to the Log Server.

  3. Click New to create a Host.

  4. Enter an object name and the IP address of the machine that runs WinEventToCPLog.

  5. Click OK.

  6. Below Client Entities, select ELA.

  7. Select Communication.

  8. Enter an Activation Key, enter it again in the confirmation line, and keep a record of it for later use.

  9. Click Initialize.

    The system must reportClosed Summary of network activity and Security Policy enforcement that is generated by Check Point products, such as SmartEvent. the trust status as Initialized but trust not established.

  10. Click Close.

  11. Click OK.

  12. Publish the SmartConsole session.

Note - Make sure that Access Control rules allow ELA traffic between the Windows computer and the Log Server.

Configuring the Windows service

On the Windows host, configure the Windows service to send logs to the Log Server.

To configure the Windows service:

  1. Install the WinEventToCPLog package from the Check Point Support Center.

  2. When the installation completes, restart the computer.

  3. Open a command prompt window and go to this location:

    • On Windows 32-bit:

      C:\Program Files\CheckPoint\WinEventToCPLog\R65\bin\

    • On Windows 64-bit:

      C:\Program Files (x86)\CheckPoint\WinEventToCPLog\R65\bin\

  4. Pull the certificate.

  5. Restart the Check Point Windows Event Service.

Establishing Trust

Establish trust between the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and the windows host.

To establish trust:

  1. Edit the OPSEC Application that you created in SmartConsole for the Windows events.

  2. Select Communication.

  3. Make sure that the trust status is Trust Established.

  4. Publish the SmartConsole session.

Configuring the Windows Audit Policy

On each machine that sends Windows Events, configure the Windows Audit Policy.

To configure the windows audit:

  1. From the Start menu, click Settings > Control Panel.

  2. Click Administrative Tools > Local Security Policy >Local Policies >Audit Policy.

  3. Make sure that the Security Setting for the Policy Audit Logon Events is set to Failure. If not, double-click it and select Failure.

  4. Open a command prompt window and go to this path:

    • On Windows 32 bit:

      C:\Program Files\CheckPoint\WinEventToCPLog\R65\bin\

    • On Windows 64 bit:

      C:\Program Files (x86)\CheckPoint\WinEventToCPLog\R65\bin\

  5. Run these commands:

    windowEventToCPLog -l <ipaddr>, where <ipaddr> is the IP address of the Log Server that receives the Windows Events.

    windowEventToCPLog -a <ipaddr>, where <ipaddr> is the IP address of each machine that sends Windows Events.

    windowEventToCPLog -s, where you are prompted for an administrator name and the administrator password that to be registered with the windowEventToCPLog service.

    The administrator that runs the windowEventToCPLog service must have permissions to access and read logs from the IP addressed defined in this procedure. This is the IP address of the computer that sends Windows events.

  6. When you configure windowEventToCPLog to read Windows events from a remote machine, log in as the administrator. This makes sure that the administrator can access remote computer events.

  7. Use the Microsoft Event Viewer to read the events from the remote machine.

Working with SNMP

SNMP (Simple Network Management Protocol) is an internet standard protocol. SNMP is used to send and receive management data, protocol data units (PDUs), to network devices. SNMP-compliant devices, called agents, keep data about themselves in Management Information Bases (MIBs) and resend this data to the SNMP requesters.

For more information, see R81.10 Gaia Administration Guide > Chapter System Management
> Section SNMP.