Log Exporter - Appendix

Special Log Fields

Field

Description

loguid

Log Unification ID.

Some Check Point logs are updated over time.

Updated logs have the same Log UID value.

Check Point SmartLog client correlates those updates into a single unified log.

When the update logs are sent to 3rd party servers, they arrive as distinct logs.

Administrators can use the "loguid" field to correlate updated logs and get the full eventClosed Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. chain.

Note - Log Exporter's new semi-unified mode correlates all previous logs into one, so the latest log always shows the complete data.

Examples of updated logs:

  • The total amount of bytes sent and received over time.

  • The severity field which is updated over time as more information becomes available.

hll_key

High Level Log Key.

This concept was introduced in R80.10.

Multiple connection logs can comprise one session with one shared HLL Key.

For example, when you browse to a webpage, the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. may generate multiple connection logs which are related to the same session.

Connection logs which are part of the same session share the same "hll_key" value.

Syslog-NG Listener Configuration

We recommend you use the syslog-protocol flag when you configure a source on a Syslog NG server.

For example:

source s_network { network(transport("tcp") port(514) flags(syslog-protocol) ); };

Splunk Listener Configuration

We recommend that you add these time settings to your "sourcetype":

  • TIME_FORMAT = %s

  • TIME_PREFIX = time=

  • MAX_TIMESTAMP_LOOKAHEAD = 15

ArcSight Listener Configuration

The Log Exporter solution does not work with the OPSEC LEA connector. Instead, you must install the ArcSight Syslog-NG connector.

ArcSight Common Event Format (CEF) Mapping

CEF is an extensible, text-based format that supports multiple device types by offering the most relevant information. Message syntax is reduced to work with ESM normalization. Specifically, CEF defines a syntax for log records comprised of a standard header and a variable extension, formatted as key-value pairs. The CEF format can be used with on-premises devices by implementing the ArcSight Syslog SmartConnector. CEF can also be used by cloud-based service providers by implementing the SmartConnector for ArcSight Common Event Format REST.

CEF Header Format

Item

Version

Device Vendor

Device Product

Device Version

Device Event Class ID

Name

Severity

Default

CEF:0

Check Point

Log Update

Check Point

Log

Log

0

Values

-

-

Product Name (Blade)

-

 

  • Protection Name

  • Application Name

  • Message Info

  • Service ID

  • Service

 

 

  • Application Risk

  • Risk

  • Severity

QRadar Log Event Extended Format (LEEF) Mapping

The LEEF is a customized event format for IBM Security QRadar.

LEEF Header Format

Item

LEEF Version

Vendor

Product

Version

EventID

Default

LEEF:2.0

Check Point

Log Update

1.0

Check Point Log

Values

-

-

Product Name (Blade)

-

  • Protection Name

  • Application Name

  • Action

Note - The time format is not compliant with the official LEEF format.

As there is currently no Epoch time format, Log Exporter with LEEF format is only partially supported.