Importing Syslog Messages
Many third-party devices use the syslog format for logging. The Log Server Dedicated Check Point server that runs Check Point software to store and process logs. reformats the raw data to the Check Point log format to process third-party syslog messages.
The Log Server uses a syslog parser to convert syslog messages to the Check Point log format.
To import syslog messages, define your own syslog parser and install it on the Log Server.
SmartEvent can take the reformatted logs and convert them into security events.
Generating a Syslog Parser and Importing syslog Messages
To import syslog messages from products and vendors that are not supported out-of-the-box, see sk55020. This shows you how to:
-
Import some sample syslog messages to the Log Parsing Editor.
-
Define the mapping between syslog fields and the Check Point log fields.
-
Install the syslog parser on the Log Server.
After you imported the syslog messages to the Log Server, you can see them in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., in the Logs & Monitor > Logs tab.
Note - Make sure that Access Control rules allow ELA traffic between the Syslog computer and the Log Server.
Configuring SmartEvent to Read Imported Syslog Messages
After you imported the syslog messages to the Log Server, you can forward them to SmartEvent Server Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database. (and other OPSEC LEA clients), as other Check Point logs. SmartEvent converts the syslog messages into security events.
To configure the SmartEvent Server to read logs from this Log Server:
-
Configure SmartEvent to read logs from the Log Server.
-
In SmartEvent or in the SmartConsole event Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. views, make a query to filter by the Product Name field. This field uniquely identifies the events that are created from the syslog messages.