Thanks Shannon,
there used to be two ways to get the IP from an event a few years ago (extracted from logs or sender's IP). It's a good thing they also added the ip from the hostname field in the header when it's configured that way, but most of the time it's a textual hostname we see. Even in the syslog RFC 5424 standard, FQDN is prioritized before the static IP in the header. (https://tools.ietf.org/html/rfc5424#page-13)
@Rahul,
please update your post, I want to know if you still have problems with your checkpoint logs? If you still have issues extracting your IP, it could also be the log format. Have you followed the DSM guide procedure for your checkpoint appliance syslog configuration?
ftp://ftp.software.ibm.com/software/security/products/qradar/documents/iTeam_addendum/b_dsm_guide.pdf
Regards,
------------------------------
Anthony Gayadeen
Analyst
Videotron
Montreal QC
------------------------------
Original Message:
Sent: Wed July 03, 2019 08:51 AM
From: SHANNON TOMPKINS
Subject: Source and Destination IP coming are same in the log activity.
Hi, Rahul -
Just in case you may not have see this, here is the IBM Support article documenting the ways QRadar determines the source and destination IP addresses per Anthony's #2 response above:
https://www-01.ibm.com/support/docview.wss?uid=swg21622450
Thanks!
Shannon
------------------------------
SHANNON TOMPKINS
Original Message:
Sent: Tue July 02, 2019 12:41 PM
From: Anthony Gayadeen
Subject: Source and Destination IP coming are same in the log activity.
Hi Rahul,
the IPs in our checkpoint logs are correctly extracted, but we have the latest dsm.
1. Do you have the latest checkpoint dsm? If not, I suggest updating it.
a) check your dsm version in cli: # rpm -qa | grep -i dsm-checkpoint
b) compare with the latest version available on fix-central (which is 7.3.0-QRADAR-DSM-CheckPoint-7.3-20190321195643.noarch.rpm at the moment)
Fix central Reference:
https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+Security+QRadar+SIEM&fixids=7.3.0-QRADAR-DSM-CheckPoint-7.3-20190321195643.noarch.rpm&source=dbluesearch&function=fixId&parent=IBM%20Security
2. If the parsing is unable to extract the IPs from the logs, by default Qradar will put the IP of the system sending the logs for both the destination and source fileds. This is the normal behaviour of the system.
Regards,
Anthonny
------------------------------
Anthony Gayadeen
Analyst
Videotron
Montreal QC
Original Message:
Sent: Fri June 28, 2019 06:36 AM
From: Rahul Gupta
Subject: Source and Destination IP coming are same in the log activity.
Dear All,
While checking logs from checkpoint it has been observed that the source and destination IPs in the log activity is coming as the same IP.
This IP(same for both source and destination) is different from the IPs in the raw logs which in the payload mentioned as source and destination.
Also when checked in the DSM editor , we see parsing being done and IPs which are mentioned in the Payload are being parsed. However these IPs are not reflecting in the log activity which shows a different IP which is identical for both source and destination field.
looking for understanding
1. Why the IP is same on the source and destination fields in log activity
2. Why this IP is different from the source and destination mentioned in the Payload
Are we missing something .?
Thanks
------------------------------
Thanks and Regards
Rahul Gupta
------------------------------