Check Point Elastic Agent

I'm working on setting up an elastic installation and forwarding all Check Point logs via Elastic Agent integration. I have setup Fleet, created the Agent Policy and installed the Elastic Agent on the Check Point management server. The agent will not send the fw.log file which contains all the firewall logs for network traffic. The integration description states that it utilizes the log exporter but doesn't provide any instructions for this. I've setup a manual cp_log_export but elastic is not ingesting the syslog logs from Check Point log exporter. Can someone help me understand where I'm going wrong?

Integration Config:

image784×677 53.2 KB

Log Exporter Config:
cp_log_export add name elastic target-host 10.1.1.10 target-port 9200 protocol tcp format syslog

Edit: cp_log_export add name elastic target-host 10.1.1.10 target-port 9001 protocol udp format syslog

Hey @elasticnoobie

i haven't done anything with checkpoint yet, but here are some things i saw in your config:

• can you try to change the exporter to tcp? The syslog input on the elasticagent seems to be tcp (see Title of config line input: tcp).
• Maybe you also have to enter the Ip into the "Syslog Host" field so connection from outside on the server are allowed (are the connection coming from outside? not sure). Or it could be the other way around and you have to configure the log_exporter to target-host 127.0.0.1 because the Agent is only listening on localhost.

BR