Hello everyone,

I configured syslog Checkpoint to Qradar, but not find field source port, destination port, and username.

Please tell me if you know.

Thanks a lot 

Hi Hung,

It seems parsing issue, check you have updated the latest DSM for checkpoint.

if you are up to date, then you can do it manually using DSM editor.

Hi Arunkumar,

I have updated DSM checkpoint and Qradar detected the checkpoint log before unkown log. 

But Qradar can't detect source port, destination port even though the source and destination ports appear in the payload information.

What can i do so that Qradar can detect source port, destination port ? 

Thanks a lot 

Edited this post as your screen caps weren't show up for me. I'm removing some of your screen caps from this thread as they show IPs (even if not yours). It appears that the s_port values are included in the payload, but they are not parsing and seem to be listed as 0 in the user interface, but all other values seem to populate.

1. Confirm your Check Point DSM version (yum info DSM-CheckPoint* or rpm -qa | grep -i checkpoint)
2. Get a sample of events and scrub them to remove any sensitive data. You can export Full Columns as XML, then edit to remove any sensitive info. In the Log Activity tab, filter by Check Point or Source Port is 0, then select Action > Export to CSV or Export to XML > Full Export(All Columns). 
3. Open a case, include your Check Point version and attach the export. 

Your payload is wrapping in square brackets and I think you likely want to open a support case to allow us to replay and confirm the issue. 

--- NOTE ---
I'm adding a comment and striking out this text as the forums were not displaying your attached images to me. As the payloads are clearly Syslog (not LEEF). I'd open a support case on this issue to determine why the official DSM is not parsing the port values. 


If you set the user interface to Display: Raw or double-click on an event, you can view the full payload and see if it matches the core documentation. 

Can you confirm your Check Point version? Or include a sample payload?

Syslog payload use playload values, like:  s_port: 12345
Log Exporter (LEEF) would have a payload: srcPort=12345

If you are on a newer Check Point version, you might use the LEEF (Log Exporter) tool as that is the latest format.  Without a sample event, it is hard to determine the root cause, but this is something you could ask for help with in a Support Case, if you do not want to post a sample event.

If you can provide more info on your version and if the payload value is s_port: or scrPort=, then we could look to see if the issue has been logged or unknown and advise on what you can do. This issue is something you could fix in the DSM Editor yourself, but if you are on a newer version of Check Point and we can confirm the event type, it might be something we should review and fix. 

However, I think we need more info to confirm the issue or you should export some sample events and open a case. 

--- reference info ---

• Syslog format: https://www.ibm.com/docs/en/qsip/7.5?topic=syslog-sample-event-messages-check-point
• LEEF format (depending on your version): https://www.ibm.com/docs/en/qsip/7.5?topic=point-configuring-check-forward-leef-events-qradar

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
------------------------------