Configuring Log Exporter in SmartConsole

Starting in R81, you can configure a Log Exporter directly from SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. and link it to the relevant Log Servers.

Procedure:

    1. From the top, click ObjectsMore object types > Server > Log Exporter/SIEM.

    2. In the Object Name field, enter the applicable name for the new Log Exporter.

    3. From the left, click the General page:

      1. In the Export Configuration section, select Enabled.

      2. In the Server Configuration section:

        • In the Target Server field - Starting from R81 SmartConsole Build 569, you can enter the target server's IPv4 address or FQDN. Prior to this release, you could only enter the IPv4 address of the destination server.

        • In the Target Port field, enter the number of the listening port on the destination server

        • In the Protocol field, select the applicable protocol - UDP (default) or TCP

    4. From the left, click the Data Manipulation page:

      1. In the Format field, select the applicable format for the exported logs:

        • Syslog (default)

        • Common Event Format (CEF)

        • Log Event Extended Format (LEEF)

        • Generic

        • Splunk

        • LogRhythm

        • Json

      2. Optional: Select Aggregate log updates before export to export all logs with the full data.

        By default, update logs contain the data that was changed compared to the last log for the same eventClosed Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy..

    5. From the left, click the Attachments page:

      Log Exporter does not include attachments by default.

      Optional: Select the applicable options to configure the log attachments:

      • Add link to Log Details in SmartView

      • Add link to Log Attachment in SmartView

      • Add Log Attachment ID

    6. Click OK.

    1. From the left navigation panel, click Gateways & Servers.

    2. Open the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or Dedicated Log ServerClosed Dedicated Check Point server that runs Check Point software to store and process logs. / SmartEvent ServerClosed Dedicated Check Point server with the enabled SmartEvent Software Blade that hosts the events database. object.

    3. From the left tree, click Logs > Export.

    4. Click [+] and select the Log Exporter / SIEM object you configured earlier.

    5. Click OK.

    1. From the top, click Menu > Install database.

    2. Select all objects.

    3. Click Install.

    Important in a Multi-Domain Server environment - If you configured Log Exporter object(s) in the Global Domain and assigned Global Policy, you must install the database in SmartConsole connected to the applicable Domain Management Server.

After you upgrade a Management Server / Log Server / SmartEvent Server to a new version, you must:

  1. Connect to the command line on the Management Server / Log Server / SmartEvent Server configured with Log Exporter.

  2. Log in to the Expert mode.

  3. Restore the Log Exporter configuration as described in sk127653.

  4. Reconfigure the Log Exporter:

    cp_log_export reconf

  5. Restart the Log Exporter:

    cp_log_export restart

  6. In SmartConsole, click Menu > Install database > select all objects > click Install.

Notes:

  • An existing Log Exporter configured in a previous version retains its configuration, but does not show in SmartConsole unless it is reconfigured.

  • If you configure a Log Exporter object in SmartConsole with the same name as an existing Log Exporter configured in a previous version, the new Log Exporter overrides the existing exporter configuration (other than filtering and TLS configurations).