IBM Security QRadar

Hi Guy,
I have two options for receiving log from checkpoint (R8.2) which is log sending by using syslog format and LEAF format. I configured both option but Qradar show N/A status on Log source page. However, Log activity show "Unknow generic log event"

Remark - I alrealdy restart service on checkpoint but It still doesn't work

Which one should be use for this case?

------------------------------
MAC Strater
------------------------------

We use the OPSEC/LEA protocol for our logs.  Following the IBM guide (linked below) worked for us:

https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/c_DSM_guide_Checkpoint_firewall1_intro.html?cp=SS42VS_7.3.2#c_dsm_guide_checkpoint_firewall1_intro

------------------------------
T
------------------------------

Original Message:
Sent: Fri September 27, 2019 03:41 AM
From: MAC Strater
Subject: Receive log from Checkpoint

Hi Guy,
I have two options for receiving log from checkpoint (R8.2) which is log sending by using syslog format and LEAF format. I configured both option but Qradar show N/A status on Log source page. However, Log activity show "Unknow generic log event"

Remark - I alrealdy restart service on checkpoint but It still doesn't work

Which one should be use for this case?

------------------------------
MAC Strater
------------------------------

I does work for me 
Thank you! 

Another way, I found these artical "https://www.ibm.com/support/pages/troubleshooting-check-point-syslog-leef-events-log-exporter-cplogexport-utility" You can send syslog by using leef format but you also need to edit XML file on checkpoint. Plain syslog (eg. firewall accept/reject)can be read! in the same time complex syslog still can't be read.

------------------------------
MAC Strater
------------------------------

Original Message:
Sent: Fri September 27, 2019 06:46 AM
From: T R
Subject: Receive log from Checkpoint

We use the OPSEC/LEA protocol for our logs.  Following the IBM guide (linked below) worked for us:

https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/c_DSM_guide_Checkpoint_firewall1_intro.html?cp=SS42VS_7.3.2#c_dsm_guide_checkpoint_firewall1_intro

------------------------------
T

Original Message:
Sent: Fri September 27, 2019 03:41 AM
From: MAC Strater
Subject: Receive log from Checkpoint

Hi Guy,
I have two options for receiving log from checkpoint (R8.2) which is log sending by using syslog format and LEAF format. I configured both option but Qradar show N/A status on Log source page. However, Log activity show "Unknow generic log event"

Remark - I alrealdy restart service on checkpoint but It still doesn't work

Which one should be use for this case?

------------------------------
MAC Strater
------------------------------

Interesting, ​I'm told by both IBM and CheckPoint that OPSEC/LEA is obsolete and we should use LEEF.
I hope that the "out-of-the-box" support for CheckPoint LEEF will become more stable for, not only the FW events which works well, but also CheckPoint SmartDefense, URl Filtering etc.

------------------------------
Stefan
------------------------------

Original Message:
Sent: Mon September 30, 2019 07:38 AM
From: MAC Strater
Subject: Receive log from Checkpoint

I does work for me 
Thank you! 

Another way, I found these artical "https://www.ibm.com/support/pages/troubleshooting-check-point-syslog-leef-events-log-exporter-cplogexport-utility" You can send syslog by using leef format but you also need to edit XML file on checkpoint. Plain syslog (eg. firewall accept/reject)can be read! in the same time complex syslog still can't be read.

------------------------------
MAC Strater

Original Message:
Sent: Fri September 27, 2019 06:46 AM
From: T R
Subject: Receive log from Checkpoint

We use the OPSEC/LEA protocol for our logs.  Following the IBM guide (linked below) worked for us:

https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/c_DSM_guide_Checkpoint_firewall1_intro.html?cp=SS42VS_7.3.2#c_dsm_guide_checkpoint_firewall1_intro

------------------------------
T

Original Message:
Sent: Fri September 27, 2019 03:41 AM
From: MAC Strater
Subject: Receive log from Checkpoint

Hi Guy,
I have two options for receiving log from checkpoint (R8.2) which is log sending by using syslog format and LEAF format. I configured both option but Qradar show N/A status on Log source page. However, Log activity show "Unknow generic log event"

Remark - I alrealdy restart service on checkpoint but It still doesn't work

Which one should be use for this case?

------------------------------
MAC Strater
------------------------------​