Check Point moduleedit
This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
This is a module for Check Point firewall logs. It supports logs from the Log Exporter in the Syslog format.
To configure a Log Exporter, please refer to the documentation by Check Point.
Example below:
cp_log_export add name testdestination target-server 192.168.1.1 target-port 9001 protocol udp format syslog
The module that supports Check Point firewall logs sent in the CEF format requires the CEF module
The Check Point and ECS fields that are the same between both modules will be mapped to the same names for compability between modules, though not all fields are included in CEF. Please reference the supported fields in the CEF documentation.
Read the quick start to learn how to configure and run modules.
Compatibilityedit
This module has been tested against Check Point Log Exporter on R80.X but should also work with R77.30.
Configure the moduleedit
You can further refine the behavior of the checkpoint
module by specifying
variable settings in the
modules.d/checkpoint.yml
file, or overriding settings at the command line.
Variable settingsedit
Each fileset has separate variable settings for configuring the behavior of the
module. If you don’t specify variable settings, the checkpoint
module uses
the defaults.
For advanced use cases, you can also override input settings. See Override input settings.
When you specify a setting at the command line, remember to prefix the
setting with the module name, for example, checkpoint.firewall.var.paths
instead of firewall.var.paths
.
firewall
fileset settingsedit
Example config:
- module: checkpoint firewall: var.syslog_host: 0.0.0.0 var.syslog_port: 9001
-
var.paths
-
An array of glob-based paths that specify where to look for the log files. All
patterns supported by Go Glob
are also supported here. For example, you can use wildcards to fetch all files
from a predefined level of subdirectories:
/path/to/log/*/*.log
. This fetches all.log
files from the subfolders of/path/to/log
. It does not fetch log files from the/path/to/log
folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system. -
var.syslog_host
- The interface to listen to UDP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
-
var.syslog_port
- The UDP port to listen for syslog traffic. Defaults to 9001.
-
var.tags
-
A list of tags to include in events. Including
forwarded
indicates that the events did not originate on this host and causeshost.name
to not be added to events. Defaults to[checkpoint-firewall, forwarded]
.
Check Point devicesedit
This module will parse Check Point Syslog data as documented in: Checkpoint Log Fields Description.
Check Point Syslog extensions are mapped as follows to ECS:
Check Point Fields | ECS Fields | |
---|---|---|
action |
event.action |
|
appi_name |
network.application |
|
app_risk |
event.risk_score |
|
app_rule_id |
rule.id |
|
app_rule_name |
rule.name |
|
bytes |
network.bytes |
|
categories |
rule.category |
|
client_inbound_interface |
observer.ingress.interface.name |
|
client_outbound_bytes |
source.bytes |
|
client_outbound_interface |
observer.egress.interface.name |
|
client_outbound_packets |
source.packets |
|
destination_dns_hostname |
destination.domain |
|
dlp_file_name |
file.name |
|
dns_message_type |
dns.type |
|
dns_type |
dns.question.type |
|
domain_name |
dns.question.name |
|
dst |
destination.ip |
|
dst_machine_name |
destination.domain |
|
dlp_rule_name |
rule.name |
|
dlp_rule_uid |
rule.uuid |
|
endpoint_ip |
observer.ip |
|
file_id |
file.inode |
|
file_type |
file.type |
|
file_name |
file.name |
|
file_size |
file.size |
|
file_md5 |
file.hash.md5 |
|
file_sha1 |
file.hash.sha1 |
|
file_sha256 |
file.hash.sha256 |
|
first_detection |
event.start |
|
from |
source.user.email |
|
ifdir |
network.direction |
|
industry_reference |
vulnerability.id |
|
inzone |
observer.ingress.zone |
|
last_detection |
event.end |
|
loguid |
event.id |
|
mac_destination_address |
destination.mac |
|
mac_source_address |
source.mac |
|
malware_action |
rule.description |
|
matched_category |
rule.category |
|
malware_rule_id |
rule.rule.id |
|
message |
message |
|
method |
http.request.method |
|
origin |
observer.name |
|
origin_ip |
observer.ip |
|
os_name |
host.os.name |
|
os_version |
host.os.version |
|
outzone |
observer.egress.zone |
|
packet_capture |
event.url |
|
packets |
network.packets |
|
parent_process_md5 |
process.parent.hash.md5 |
|
parent_process_name |
process.parent.name |
|
process_md5 |
process.hash.md5 |
|
process_name |
process.name |
|
product |
observer.product |
|
proto |
network.iana_number |
|
reason |
message |
|
received_bytes |
destination.bytes |
|
referrer |
http.request.referrer |
|
rule_name |
rule.name |
|
resource |
url.original |
|
s_port |
source.port |
|
security_inzone |
observer.ingress.zone |
|
security_outzone |
observer.egress.zone |
|
sent_bytes |
source.bytes |
|
sequencenum |
event.sequence |
|
service |
destination.port |
|
service_id |
network.application |
|
service_name |
destination.service.name |
|
server_outbound_packets |
destination.packets |
|
server_outbound_bytes |
destination.bytes |
|
severity |
event.severity |
|
smartdefense_profile |
rule.ruleset |
|
src |
source.ip |
|
src_machine_name |
source.domain |
|
src_user_group |
source.user.group.name |
|
start_time |
event.start |
|
status |
http.response.status_code |
|
tid |
dns.id |
|
time |
@timestamp |
|
to |
destination.user.email |
|
type |
observer.type |
|
update_version |
observer.version |
|
url |
url.original |
|
user_group |
group.name |
|
usercheck_incident_uid |
destination.user.id |
|
web_client_type |
user_agent.name |
|
xlatesrc |
source.nat.ip |
|
xlatedst |
destination.nat.ip |
|
xlatesport |
source.nat.port |
|
xlatedport |
destination.nat.port |
Fieldsedit
For a description of each field in the module, see the exported fields section.