Skip to content

Log Exporter (Syslog)

Key Facts

  • As of 2/1/2022 The Log Exporter configuration provided by CheckPoint is defective and produces invalid data the configuration below is REQUIRED
  • MSG Format based filter
  • RFC5424 without frame use port 514 TCP
Ref Link
Splunk Add-on
Product Manual https://sc1.checkpoint.com/documents/App_for_Splunk/html_frameset.htm

Sourcetypes

sourcetype notes
cp_log:syslog None

Sourcetype and Index Configuration

key sourcetype index notes
checkpoint_syslog cp_log:syslog netops none

Source and Index Configuration

Checkpoint Software blades with CIM mapping have been sub-grouped into sources to allow routing to appropriate indexes. All other source meta data is left at default

key source index notes
checkpoint_syslog_dlp dlp netdlp none
checkpoint_syslog_email email email none
checkpoint_syslog_firewall firewall netfw none
checkpoint_syslog_sessions sessions netops none
checkpoint_syslog_web web netproxy none
checkpoint_syslog_audit audit netops none
checkpoint_syslog_endpoint endpoint netops none
checkpoint_syslog_network network netops
checkpoint_syslog_ids ids netids
checkpoint_syslog_ids_malware ids_malware netids

Source Configuration

  • Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
  • Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source.
  • To configure the valid syslog format in Checkpoint, follow the steps below
  • Go to the cp terminal
  • Enter expert command for login in expert mode
  • Enter cd $EXPORTERDIR
  • In this directory check targets if it’s empty then configure a new target for the logs with help of below command
  • cp_log_export add name target-server target-port protocol <(udp|tcp)> format <(syslog)|(cef)|(splunk)(generic)>
  • Then navigate to conf directory
  • Execute cp SyslogFormatDefinition.xml SplunkRecommendedFormatDefinition.xml
  • Open SplunkRecommendedFormatDefinition.xml in edit mode and modify the start_message_body,fields_separator,field_value_separator as shown below.
<start_message_body>[sc4s@2620 </start_message_body>

<fields_separator> </fields_separator>

<field_value_separator>=</field_value_separator>
  • Copy SplunkRecommendedFormatDefinition.xml into $EXPORTERDIR/targets//conf
  • Navigate to the configuration file $EXPORTERDIR/targets//targetConfiguration.xml and open it in edit mode.
  • Add the reference to the SplunkRecommendedFormatDefinition.xml under the key . For example, if $EXPORTERDIR=/opt/CPrt-R81/log_exporter, the absolute path will become: 
<formatHeaderFile>/opt/CPrt-R81/log_exporter/targets/<your_log_exporter>/conf/SplunkRecommendedFormatDefinition.xml</formatHeaderFile>

  • Restart cp_log_exporter by executing the command cp_log_export restart name

  • Warning: Make sure if you migrating to different format, the earlier format is disabled or else it would lead to data duplication.