Hi,
Thank for the help, I have applied it and I can see its parsing a lot of the logs compared to before, but I still see logs not being parced for firewall accept, see example below
its not parsing and mapping this
<158>xxxxxxx admin: 23:58:50 5 13486578715268489418 16 accept 192.168.50.3 > eth1-01 LogId: 352; ContextNum: <max_null>; OriginSicName: CN=MainOne_EXT_VSX_GW02_MainOne_Perimeter_VS,O=xxxxxx.kyyqyx; duration: 3:00:00; last_hit_time: 4Nov2020 20:58:50; update_count: 2; creation_time: 4Nov2020 20:58:50; connection_count: 1; aggregated_log_count: 1; src: xxx.107.xxx.179; dst: xxx.13x.x; proto: tcp; user: ; src_user_name: ; src_machine_name: ; src_user_dn: ; snid: ; dst_user_name: ; dst_machine_name: ; dst_user_dn: ; service_id: TCP_All_SourcePort; inzone: External; outzone: Local; UP_match_table: TABLE_START; ROW_START: 0; match_id: 19; layer_uuid: xxxxxxxxxxxxxxxxxxxxxxxx; layer_name: PERIMETER-VS-POLICY Network; rule_uid: 1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ; rule_name: Stealth Rule; ROW_END: 0; ROW_START: 1; match_id: 33554445; layer_uuid:xxxxxxxxxxxxxxxxxxx; layer_name: AppControl&UrlFiltering; rule_uid: xxxxxxxxxxxxxxxxx; rule_name: Cleanup rule; R
This one above is a whole alot over 21,000 events in 15min compared to the once parsed which is over 1500
but it is parsing and mapping this
<158>xxxxxxx admin: 23:59:00 5 N/A 279 accept 172.21.23.9 > bond1.3013 LogId: 0; ContextNum: <max_null>; OriginSicName: CN=MainOne_VSX_GW02_MainOne_DC_VS,O=xxxxxxxxx; inzone: Internal; outzone: Internal; service_id: echo-request; ICMP: Echo Request; src: xxxxxx; dst: xxxxxxxxxx; proto: icmp; ICMP Type: 8; ICMP Code: 0; UP_match_table: TABLE_START; ROW_START: 0; match_id: 0; layer_uuid: xxxxxxxxxxxxxxxxxxxxxxxxxxxx; layer_name: Network; rule_uid: xxxxxxxxxxxxxxxxxxxxx; rule_name: Implied Rule ; ROW_END: 0; UP_match_table: TABLE_END; src_user_name: Fidelity Model (
xxxxxxxxxxl@fidelitybank.ng)(+)Abdul-Fxxxxxx(
xxxx@fidelitybank.ng); src_machine_name:
dr-newonlinbken@fidelitybank.ng; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;
------------------------------
Chibuzo Arukwe
------------------------------
Original Message:
Sent: Wed November 04, 2020 08:57 AM
From: T R
Subject: qradar not parsing and mapping checkpoint logs using syslog
When we moved to Check Point DSM over syslog, I had to change some of the properties used for mapping:
Event Category
Expression Type: LEEF
Expression: $product$
Event ID
Expression Type: LEEF
Expression: $eventid$
LEEF Event ID
Expression Type: LEEF
Expression: $eventid$
------------------------------
T
Original Message:
Sent: Tue November 03, 2020 10:02 AM
From: Chibuzo Arukwe
Subject: qradar not parsing and mapping checkpoint logs using syslog
Good day People,
I am having this challenge with the logs I am getting from Checkpoint to my SIEM(qradar), after integrating same using syslog, OPSEC/LEA has been used already for our secondry site and we cant pull certificate twice where you have too SMS servers for checkpoint(Production and Dr)
So I decided to use syslog to configure that following the DSM guide with the link below. But its not parsing and mapping the logs in the payload which has all the details
Does anyone know how I Can deal with this.
https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/t_DSM_guide_Checkpoint_LEEF_payloads.html
------------------------------
Chibuzo Arukwe
------------------------------