Hello all,
I want to send logs directly to Elastic from my CheckPoint Management.
This is my checkpoint.yml configuration :
module: checkpoint
firewall:
enabled: true
var.syslog_host: 10.10.10.1
var.syslog_port: 514
on my filebeat.yml, i simply configured the output to elastic
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["ElasticHost:9200"]
Logs are sent without issue. I review a tcpdump from udp port 514 and I getting logs. I can see them in Kibana. But I have this error:
Provided Grok expressions do not match field value: [<134>1 2020-06-23T00:33:20Z CP_CheckPoint 5561 - [action:\"Encrypt\"; flags:\"417028\"; ifdir:\"inbound\"; ifname:\"eth2\"; logid:\"0\"; loguid:\"{ox}\"; origin:\"10.10.10.2\"; originsicname:\"CN=C,O=LA..mrqm2j\"; sequencenum:\"4\"; time:\"1592872400\"; version
Maybe I dont know if this is an issue, because I follow the steps on the filebeat checkpoint module.