Log Exporter - Appendix

Special Log Fields

Field	Description
loguid	Log Unification ID. Some Check Point logs are updated over time. Updated logs have the same Log UID value. Check Point SmartLog client correlates those updates into a single unified log. When the update logs are sent to 3rd party servers, they arrive as distinct logs. Administrators can use the "`loguid`" field to correlate updated logs and get the full event Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. chain. Note - Log Exporter's new semi-unified mode correlates all previous logs into one, so the latest log always shows the complete data. Examples of updated logs: The total amount of bytes sent and received over time. The severity field which is updated over time as more information becomes available.
hll_key	High Level Log Key. This concept was introduced in R80.10. Multiple connection logs can comprise one session with one shared HLL Key. For example, when you browse to a webpage, the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. may generate multiple connection logs which are related to the same session. Connection logs which are part of the same session share the same "`hll_key`" value.

Field

Description

loguid

Log Unification ID.

Some Check Point logs are updated over time.

Updated logs have the same Log UID value.

Check Point SmartLog client correlates those updates into a single unified log.

When the update logs are sent to 3rd party servers, they arrive as distinct logs.

Administrators can use the "loguid" field to correlate updated logs and get the full event Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. chain.

Note - Log Exporter's new semi-unified mode correlates all previous logs into one, so the latest log always shows the complete data.

Examples of updated logs:

The total amount of bytes sent and received over time.
The severity field which is updated over time as more information becomes available.

hll_key

High Level Log Key.

This concept was introduced in R80.10.

Multiple connection logs can comprise one session with one shared HLL Key.

For example, when you browse to a webpage, the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. may generate multiple connection logs which are related to the same session.

Connection logs which are part of the same session share the same "hll_key" value.

Syslog-NG Listener Configuration

We recommend you use the syslog-protocol flag when you configure a source on a Syslog NG server.

For example:

source s_network { network(transport("tcp") port(514) flags(syslog-protocol) ); };

Splunk Listener Configuration

We recommend that you add these time settings to your "sourcetype":

TIME_FORMAT = %s
TIME_PREFIX = time=
MAX_TIMESTAMP_LOOKAHEAD = 15

ArcSight Listener Configuration

The Log Exporter solution does not work with the OPSEC LEA connector. Instead, you must install the ArcSight Syslog-NG connector.

ArcSight Common Event Format (CEF) Mapping

CEF is an extensible, text-based format that supports multiple device types by offering the most relevant information. Message syntax is reduced to work with ESM normalization. Specifically, CEF defines a syntax for log records comprised of a standard header and a variable extension, formatted as key-value pairs. The CEF format can be used with on-premises devices by implementing the ArcSight Syslog SmartConnector. CEF can also be used by cloud-based service providers by implementing the SmartConnector for ArcSight Common Event Format REST.

CEF Header Format

Item	Version	Device Vendor	Device Product	Device Version	Device Event Class ID	Name	Severity
Default	CEF:0	Check Point	Log Update	Check Point	Log	Log	0
Values	-	-	Product Name (Blade)	-	Attack Name Protection Type Verdict Matched Category DLP Data Type Classification of data in a Check Point Security Policy for the Content Awareness Software Blade. Application Category Application Properties	Protection Name Application Name Message Info Service ID Service	Application Risk Risk Severity

Item

Version

Device Vendor

Device Product

Device Version

Device Event Class ID

Name

Severity

Default

CEF:0

Check Point

Log Update

Check Point

Log

Values

Product Name (Blade)

Attack Name
Protection Type
Verdict
Matched Category
DLP Data Type Classification of data in a Check Point Security Policy for the Content Awareness Software Blade.
Application Category
Application Properties

Protection Name
Application Name
Message Info
Service ID
Service

Application Risk
Risk
Severity

QRadar Log Event Extended Format (LEEF) Mapping

The LEEF is a customized event format for IBM Security QRadar.

LEEF Header Format

Item	LEEF Version	Vendor	Product	Version	EventID
Default	LEEF:2.0	Check Point	Log Update	1.0	Check Point Log
Values	-	-	Product Name (Blade)	-	Protection Name Application Name Action

Note - The time format is not compliant with the official LEEF format.

As there is currently no Epoch time format, Log Exporter with LEEF format is only partially supported.