Check Point module
editCheck Point module
editThis functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
This is a module for Check Point firewall logs. It supports logs from the Log Exporter in the Syslog format.
To configure a Log Exporter, please refer to the documentation by Check Point.
Example below:
cp_log_export add name testdestination target-server 192.168.1.1 target-port 9001 protocol udp format syslog
The module that supports Check Point firewall logs sent in the CEF format requires the CEF module
The Check Point and ECS fields that are the same between both modules will be mapped to the same names for compability between modules, though not all fields are included in CEF. Please reference the supported fields in the CEF documentation.
Read the quick start to learn how to set up and run modules.
Compatibility
editThis module has been tested against Check Point Log Exporter on R80.X but should also work with R77.30.
Configure the module
editYou can further refine the behavior of the checkpoint
module by specifying
variable settings in the
modules.d/checkpoint.yml
file, or overriding settings at the command line.
Variable settings
editEach fileset has separate variable settings for configuring the behavior of the
module. If you don’t specify variable settings, the checkpoint
module uses
the defaults.
For more information, see Configure variable settings. Also see Override input settings.
When you specify a setting at the command line, remember to prefix the
setting with the module name, for example, checkpoint.firewall.var.paths
instead of firewall.var.paths
.
firewall
fileset settings
editExample config:
- module: checkpoint firewall: var.syslog_host: 0.0.0.0 var.syslog_port: 9001
-
var.paths
-
An array of glob-based paths that specify where to look for the log files. All
patterns supported by Go Glob
are also supported here. For example, you can use wildcards to fetch all files
from a predefined level of subdirectories:
/path/to/log/*/*.log
. This fetches all.log
files from the subfolders of/path/to/log
. It does not fetch log files from the/path/to/log
folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system. -
var.syslog_host
- The interface to listen to UDP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
-
var.syslog_port
- The UDP port to listen for syslog traffic. Defaults to 9001.
Check Point devices
editThis module will parse Check Point Syslog data as documented in: Checkpoint Log Fields Description.
Check Point Syslog extensions are mapped as follows to ECS:
Check Point Fields | ECS Fields | |
---|---|---|
action |
event.action |
|
appi_name |
network.application |
|
app_risk |
event.risk_score |
|
app_rule_id |
rule.id |
|
app_rule_name |
rule.name |
|
bytes |
network.bytes |
|
categories |
rule.category |
|
client_inbound_interface |
observer.ingress.interface.name |
|
client_outbound_bytes |
source.bytes |
|
client_outbound_interface |
observer.egress.interface.name |
|
client_outbound_packets |
source.packets |
|
destination_dns_hostname |
destination.domain |
|
dlp_file_name |
file.name |
|
dns_message_type |
dns.type |
|
dns_type |
dns.question.type |
|
domain_name |
dns.question.name |
|
dst |
destination.ip |
|
dst_machine_name |
destination.domain |
|
dlp_rule_name |
rule.name |
|
dlp_rule_uid |
rule.uuid |
|
endpoint_ip |
observer.ip |
|
file_id |
file.inode |
|
file_type |
file.type |
|
file_name |
file.name |
|
file_size |
file.size |
|
file_md5 |
file.hash.md5 |
|
file_sha1 |
file.hash.sha1 |
|
file_sha256 |
file.hash.sha256 |
|
first_detection |
event.start |
|
from |
source.user.email |
|
ifdir |
network.direction |
|
industry_reference |
vulnerability.id |
|
inzone |
observer.ingress.zone |
|
last_detection |
event.end |
|
loguid |
event.id |
|
mac_destination_address |
destination.mac |
|
mac_source_address |
source.mac |
|
malware_action |
rule.description |
|
matched_category |
rule.category |
|
malware_rule_id |
rule.rule.id |
|
message |
message |
|
method |
http.request.method |
|
origin |
observer.name |
|
origin_ip |
observer.ip |
|
os_name |
host.os.name |
|
os_version |
host.os.version |
|
outzone |
observer.egress.zone |
|
packet_capture |
event.url |
|
packets |
network.packets |
|
parent_process_md5 |
process.parent.hash.md5 |
|
parent_process_name |
process.parent.name |
|
process_md5 |
process.hash.md5 |
|
process_name |
process.name |
|
product |
observer.product |
|
proto |
network.iana_number |
|
reason |
message |
|
received_bytes |
destination.bytes |
|
referrer |
http.request.referrer |
|
rule_name |
rule.name |
|
resource |
url.original |
|
s_port |
source.port |
|
security_inzone |
observer.ingress.zone |
|
security_outzone |
observer.egress.zone |
|
sent_bytes |
source.bytes |
|
sequencenum |
event.sequence |
|
service |
destination.port |
|
service_id |
network.application |
|
service_name |
destination.service.name |
|
server_outbound_packets |
destination.packets |
|
server_outbound_bytes |
destination.bytes |
|
severity |
event.severity |
|
smartdefense_profile |
rule.ruleset |
|
src |
source.ip |
|
src_machine_name |
source.domain |
|
src_user_group |
source.user.group.name |
|
start_time |
event.start |
|
status |
http.response.status_code |
|
tid |
dns.id |
|
time |
@timestamp |
|
to |
destination.user.email |
|
type |
observer.type |
|
update_version |
observer.version |
|
url |
url.original |
|
user_group |
group.name |
|
usercheck_incident_uid |
destination.user.id |
|
web_client_type |
user_agent.name |
|
xlatesrc |
source.nat.ip |
|
xlatedst |
destination.nat.ip |
|
xlatesport |
source.nat.port |
|
xlatedport |
destination.nat.port |
Fields
editFor a description of each field in the module, see the exported fields section.