Filebeat CEF Checkpoint errors

Hello team,
I have been testing this solution for a short time and it seems very powerful. I have enabled Filebeat with the CEF module for the logs of our Checkpoint platform. I have configured filebeat indicated in the documentation and I have started to receive the events. Looking at the Filebeat log, I see many errors with the following message:

can't parse event as syslog rfc3164

I have tried to change the syslog format to rfc5424, but the problem persists.

/usr/share/filebeat/module/cef/log/config/input.yml

{{ if eq .input "syslog" }}

type: syslog
format: rfc5424
protocol.udp:
  host: "{{.syslog_host}}:{{.syslog_port}}"

CEF module configuration

- module: cef
  log:
    enabled: true
    var:
      syslog_host: 0.0.0.0
      syslog_port: 1517
2021-07-06T13:34:44.855Z	ERROR	[syslog]	syslog/input.go:302	can't parse event as syslog rfc5424	{"message": "CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|https|Unknown|act=Decrypt cs2Label=Peer Gateway cs2=10.250.254.18 destinationTranslatedAddress=0.0.0.0 destinationTranslatedPort=0 deviceDirection=0 duser=Moisés Moreno (mmoreno)  rt=1625578482000 sourceTranslatedAddress=62.14.242.186 sourceTranslatedPort=20562 spt=50002 dpt=443 suser=Moisés Moreno (mmoreno)  cs2Label=Rule Name cs2=Internet layer_name=Network layer_name=Internet_PerfilBasico layer_uuid=c47ede8d-1766-42fa-bbb9-f8455328f2f1 layer_uuid=78ed4249-724d-4f9d-acc1-44198b867320 match_id=20 match_id=100663297 parent_rule=0 parent_rule=20 rule_action=Inline rule_action=Accept rule_uid=0f63ba3a-92aa-4bd3-9723-a9270efde342 rule_uid=dc76a632-8f9a-4b11-bc5c-e5b2071d01c0 ifname=bond1.999 logid=0 loguid={0x8eb86908,0xb353fd92,0x1a4338c9,0xc2543f64} origin=10.250.1.2 originsicname=CN\\=B01FW0103,O\\=CPSMS..c7egmr sequencenum=8 version=5 community=RemoteAccess dst=13.107.21.200 fw_subproduct=VPN-1 inzone=External lastupdatetime=1625578482 methods:=ESP: 3DES + SHA1 nat_addtnl_rulenum=0 nat_rulenum=47 outzone=External product=VPN-1 & FireWall-1 proto=6 scheme:=IKE security_inzone=ExternalZone service_id=https session_uid={60E3F98E-0000-0000-0AFA-0003A05A0000} src=10.250.254.18 src_user_dn=CN\\=Moisés Moreno,OU\\=Soporte,OU\\=SIRT_BCN,OU\\=SIRT,DC\\=sirt,DC\\=com  vpn_feature_name=VPN\n"}
2021-07-06T13:34:44.855Z	DEBUG	[processors]	processing/processors.go:203	Publish event: {
  "@timestamp": "2021-07-06T13:34:42.000Z",
  "@metadata": {
    "beat": "filebeat",
    "type": "_doc",
    "version": "7.13.1",
    "truncated": false,
    "pipeline": "filebeat-7.13.1-cef-log-pipeline"
  },
  "destination": {
    "nat": {
      "ip": "0.0.0.0",
      "port": 0
    },
    "user": {
      "name": "Moisés Moreno (mmoreno) "
    },
    "port": 443,
    "ip": "13.107.21.200"
  },
  "network": {
    "direction": "inbound"
  },
  "ecs": {
    "version": "1.9.0"
  },
  "service": {
    "type": "cef"
  },
  "message": "https",
  "fileset": {
    "name": "log"
  },
  "tags": [
    "cef",
    "forwarded"
  ],
  "input": {
    "type": "syslog"
  },
  "event": {
    "module": "cef",
    "dataset": "cef.log",
    "original": "CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|https|Unknown|act=Decrypt cs2Label=Peer Gateway cs2=10.250.254.18 destinationTranslatedAddress=0.0.0.0 destinationTranslatedPort=0 deviceDirection=0 duser=Moisés Moreno (mmoreno)  rt=1625578482000 sourceTranslatedAddress=62.14.242.186 sourceTranslatedPort=20562 spt=50002 dpt=443 suser=Moisés Moreno (mmoreno)  cs2Label=Rule Name cs2=Internet layer_name=Network layer_name=Internet_PerfilBasico layer_uuid=c47ede8d-1766-42fa-bbb9-f8455328f2f1 layer_uuid=78ed4249-724d-4f9d-acc1-44198b867320 match_id=20 match_id=100663297 parent_rule=0 parent_rule=20 rule_action=Inline rule_action=Accept rule_uid=0f63ba3a-92aa-4bd3-9723-a9270efde342 rule_uid=dc76a632-8f9a-4b11-bc5c-e5b2071d01c0 ifname=bond1.999 logid=0 loguid={0x8eb86908,0xb353fd92,0x1a4338c9,0xc2543f64} origin=10.250.1.2 originsicname=CN\\=B01FW0103,O\\=CPSMS..c7egmr sequencenum=8 version=5 community=RemoteAccess dst=13.107.21.200 fw_subproduct=VPN-1 inzone=External lastupdatetime=1625578482 methods:=ESP: 3DES + SHA1 nat_addtnl_rulenum=0 nat_rulenum=47 outzone=External product=VPN-1 & FireWall-1 proto=6 scheme:=IKE security_inzone=ExternalZone service_id=https session_uid={60E3F98E-0000-0000-0AFA-0003A05A0000} src=10.250.254.18 src_user_dn=CN\\=Moisés Moreno,OU\\=Soporte,OU\\=SIRT_BCN,OU\\=SIRT,DC\\=sirt,DC\\=com  vpn_feature_name=VPN\n",
    "code": "Log",
    "action": "Decrypt"
  },
  "observer": {
    "vendor": "Check Point",
    "product": "VPN-1 & FireWall-1",
    "version": "Check Point"
  },
  "error": {
    "message": [
      "malformed value for lastupdatetime at pos 1013",
      "malformed value for proto at pos 1126"
    ]
  },
  "agent": {
    "id": "47977210-973d-4cc7-8cb6-0288ca0d1163",
    "name": "b01vmprobeat01",
    "type": "filebeat",
    "version": "7.13.1",
    "hostname": "b01vmprobeat01",
    "ephemeral_id": "b21abd23-38a5-4e52-a782-c20a4a8a2077"
  },
  "cef": {
    "version": "0",
    "device": {
      "vendor": "Check Point",
      "product": "VPN-1 & FireWall-1",
      "version": "Check Point",
      "event_class_id": "Log"
    },
    "name": "https",
    "severity": "Unknown",
    "extensions": {
      "src_user_dn": "CN=Moisés Moreno,OU=Soporte,OU=SIRT_BCN,OU=SIRT,DC=sirt,DC=com ",
      "layer_name": "Internet_PerfilBasico",
      "inzone": "External",
      "sourceAddress": "10.250.254.18",
      "sourceTranslatedPort": 20562,
      "originsicname": "CN=B01FW0103,O=CPSMS..c7egmr",
      "sourceUserName": "Moisés Moreno (mmoreno) ",
      "vpn_feature_name": "VPN",
      "deviceCustomString2": "Internet",
      "destinationTranslatedAddress": "0.0.0.0",
      "security_inzone": "ExternalZone",
      "outzone": "External",
      "sequencenum": "8",
      "deviceCustomString2Label": "Rule Name",
      "layer_uuid": "78ed4249-724d-4f9d-acc1-44198b867320",
      "loguid": "{0x8eb86908,0xb353fd92,0x1a4338c9,0xc2543f64}",
      "deviceAction": "Decrypt",
      "nat_addtnl_rulenum": "0",
      "community": "RemoteAccess",
      "origin": "10.250.1.2",
      "deviceDirection": 0,
      "match_id": "100663297",
      "rule_action": "Accept",
      "destinationAddress": "13.107.21.200",
      "parent_rule": "20",
      "fw_subproduct": "VPN-1",
      "ifname": "bond1.999",
      "deviceReceiptTime": "2021-07-06T13:34:42.000Z",
      "nat_rulenum": "47",
      "logid": "0",
      "sourcePort": 50002,
      "destinationUserName": "Moisés Moreno (mmoreno) ",
      "destinationPort": 443,
      "version": "5",
      "product": "VPN-1 & FireWall-1",
      "service_id": "https",
      "rule_uid": "dc76a632-8f9a-4b11-bc5c-e5b2071d01c0",
      "sourceTranslatedAddress": "62.14.242.186",
      "destinationTranslatedPort": 0,
      "session_uid": "{60E3F98E-0000-0000-0AFA-0003A05A0000}"
    }
  },
  "log": {
    "source": {
      "address": "10.250.1.80:52488"
    }
  },
  "source": {
    "port": 50002,
    "user": {
      "name": "Moisés Moreno (mmoreno) "
    },
    "ip": "10.250.254.18",
    "nat": {
      "port": 20562,
      "ip": "62.14.242.186"
    }
  }
}

I have increased the level to debug, but can't figure out the cause of the problem. Someone who can tell me where the problem is?

Did you compare your logs with Beats test samples: beats/x-pack/filebeat/module/cef/log/test at master · elastic/beats · GitHub ? You can try to spot difference in values.

Thanks Marcin, I'll check it

@rainierwolf are you running the Checkpoint Log Exporter? If so, we have a Checkpoint module which may be a better fit for you than the CEF module. It supports syslog in RFC5424 format from Log Exporter. Relevant documentation available here.

Hello Jamie, I've configured the Checkpoint module it's working correctly!

Thanks

Great to hear! Any other questions or feedback, let us know :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.