Filebeat CEF Checkpoint errors

Elastic Stack Beats
,
1

Hello team,
I have been testing this solution for a short time and it seems very powerful. I have enabled Filebeat with the CEF module for the logs of our Checkpoint platform. I have configured filebeat indicated in the documentation and I have started to receive the events. Looking at the Filebeat log, I see many errors with the following message:

can't parse event as syslog rfc3164

I have tried to change the syslog format to rfc5424, but the problem persists.

/usr/share/filebeat/module/cef/log/config/input.yml

{{ if eq .input "syslog" }}

type: syslog
format: rfc5424
protocol.udp:
  host: "{{.syslog_host}}:{{.syslog_port}}"

CEF module configuration

- module: cef
  log:
    enabled: true
    var:
      syslog_host: 0.0.0.0
      syslog_port: 1517

2021-07-06T13:34:44.855Z	ERROR	[syslog]	syslog/input.go:302	can't parse event as syslog rfc5424	{"message": "CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|https|Unknown|act=Decrypt cs2Label=Peer Gateway cs2=10.250.254.18 destinationTranslatedAddress=0.0.0.0 destinationTranslatedPort=0 deviceDirection=0 duser=Moisés Moreno (mmoreno)  rt=1625578482000 sourceTranslatedAddress=62.14.242.186 sourceTranslatedPort=20562 spt=50002 dpt=443 suser=Moisés Moreno (mmoreno)  cs2Label=Rule Name cs2=Internet layer_name=Network layer_name=Internet_PerfilBasico layer_uuid=c47ede8d-1766-42fa-bbb9-f8455328f2f1 layer_uuid=78ed4249-724d-4f9d-acc1-44198b867320 match_id=20 match_id=100663297 parent_rule=0 parent_rule=20 rule_action=Inline rule_action=Accept rule_uid=0f63ba3a-92aa-4bd3-9723-a9270efde342 rule_uid=dc76a632-8f9a-4b11-bc5c-e5b2071d01c0 ifname=bond1.999 logid=0 loguid={0x8eb86908,0xb353fd92,0x1a4338c9,0xc2543f64} origin=10.250.1.2 originsicname=CN\\=B01FW0103,O\\=CPSMS..c7egmr sequencenum=8 version=5 community=RemoteAccess dst=13.107.21.200 fw_subproduct=VPN-1 inzone=External lastupdatetime=1625578482 methods:=ESP: 3DES + SHA1 nat_addtnl_rulenum=0 nat_rulenum=47 outzone=External product=VPN-1 & FireWall-1 proto=6 scheme:=IKE security_inzone=ExternalZone service_id=https session_uid={60E3F98E-0000-0000-0AFA-0003A05A0000} src=10.250.254.18 src_user_dn=CN\\=Moisés Moreno,OU\\=Soporte,OU\\=SIRT_BCN,OU\\=SIRT,DC\\=sirt,DC\\=com  vpn_feature_name=VPN\n"}
2021-07-06T13:34:44.855Z	DEBUG	[processors]	processing/processors.go:203	Publish event: {
  "@timestamp": "2021-07-06T13:34:42.000Z",
  "@metadata": {
    "beat": "filebeat",
    "type": "_doc",
    "version": "7.13.1",
    "truncated": false,
    "pipeline": "filebeat-7.13.1-cef-log-pipeline"
  },
  "destination": {
    "nat": {
      "ip": "0.0.0.0",
      "port": 0
    },
    "user": {
      "name": "Moisés Moreno (mmoreno) "
    },
    "port": 443,
    "ip": "13.107.21.200"
  },
  "network": {
    "direction": "inbound"
  },
  "ecs": {
    "version": "1.9.0"
  },
  "service": {
    "type": "cef"
  },
  "message": "https",
  "fileset": {
    "name": "log"
  },
  "tags": [
    "cef",
    "forwarded"
  ],
  "input": {
    "type": "syslog"
  },
  "event": {
    "module": "cef",
    "dataset": "cef.log",
    "original": "CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|https|Unknown|act=Decrypt cs2Label=Peer Gateway cs2=10.250.254.18 destinationTranslatedAddress=0.0.0.0 destinationTranslatedPort=0 deviceDirection=0 duser=Moisés Moreno (mmoreno)  rt=1625578482000 sourceTranslatedAddress=62.14.242.186 sourceTranslatedPort=20562 spt=50002 dpt=443 suser=Moisés Moreno (mmoreno)  cs2Label=Rule Name cs2=Internet layer_name=Network layer_name=Internet_PerfilBasico layer_uuid=c47ede8d-1766-42fa-bbb9-f8455328f2f1 layer_uuid=78ed4249-724d-4f9d-acc1-44198b867320 match_id=20 match_id=100663297 parent_rule=0 parent_rule=20 rule_action=Inline rule_action=Accept rule_uid=0f63ba3a-92aa-4bd3-9723-a9270efde342 rule_uid=dc76a632-8f9a-4b11-bc5c-e5b2071d01c0 ifname=bond1.999 logid=0 loguid={0x8eb86908,0xb353fd92,0x1a4338c9,0xc2543f64} origin=10.250.1.2 originsicname=CN\\=B01FW0103,O\\=CPSMS..c7egmr sequencenum=8 version=5 community=RemoteAccess dst=13.107.21.200 fw_subproduct=VPN-1 inzone=External lastupdatetime=1625578482 methods:=ESP: 3DES + SHA1 nat_addtnl_rulenum=0 nat_rulenum=47 outzone=External product=VPN-1 & FireWall-1 proto=6 scheme:=IKE security_inzone=ExternalZone service_id=https session_uid={60E3F98E-0000-0000-0AFA-0003A05A0000} src=10.250.254.18 src_user_dn=CN\\=Moisés Moreno,OU\\=Soporte,OU\\=SIRT_BCN,OU\\=SIRT,DC\\=sirt,DC\\=com  vpn_feature_name=VPN\n",
    "code": "Log",
    "action": "Decrypt"
  },
  "observer": {
    "vendor": "Check Point",
    "product": "VPN-1 & FireWall-1",
    "version": "Check Point"
  },
  "error": {
    "message": [
      "malformed value for lastupdatetime at pos 1013",
      "malformed value for proto at pos 1126"
    ]
  },
  "agent": {
    "id": "47977210-973d-4cc7-8cb6-0288ca0d1163",
    "name": "b01vmprobeat01",
    "type": "filebeat",
    "version": "7.13.1",
    "hostname": "b01vmprobeat01",
    "ephemeral_id": "b21abd23-38a5-4e52-a782-c20a4a8a2077"
  },
  "cef": {
    "version": "0",
    "device": {
      "vendor": "Check Point",
      "product": "VPN-1 & FireWall-1",
      "version": "Check Point",
      "event_class_id": "Log"
    },
    "name": "https",
    "severity": "Unknown",
    "extensions": {
      "src_user_dn": "CN=Moisés Moreno,OU=Soporte,OU=SIRT_BCN,OU=SIRT,DC=sirt,DC=com ",
      "layer_name": "Internet_PerfilBasico",
      "inzone": "External",
      "sourceAddress": "10.250.254.18",
      "sourceTranslatedPort": 20562,
      "originsicname": "CN=B01FW0103,O=CPSMS..c7egmr",
      "sourceUserName": "Moisés Moreno (mmoreno) ",
      "vpn_feature_name": "VPN",
      "deviceCustomString2": "Internet",
      "destinationTranslatedAddress": "0.0.0.0",
      "security_inzone": "ExternalZone",
      "outzone": "External",
      "sequencenum": "8",
      "deviceCustomString2Label": "Rule Name",
      "layer_uuid": "78ed4249-724d-4f9d-acc1-44198b867320",
      "loguid": "{0x8eb86908,0xb353fd92,0x1a4338c9,0xc2543f64}",
      "deviceAction": "Decrypt",
      "nat_addtnl_rulenum": "0",
      "community": "RemoteAccess",
      "origin": "10.250.1.2",
      "deviceDirection": 0,
      "match_id": "100663297",
      "rule_action": "Accept",
      "destinationAddress": "13.107.21.200",
      "parent_rule": "20",
      "fw_subproduct": "VPN-1",
      "ifname": "bond1.999",
      "deviceReceiptTime": "2021-07-06T13:34:42.000Z",
      "nat_rulenum": "47",
      "logid": "0",
      "sourcePort": 50002,
      "destinationUserName": "Moisés Moreno (mmoreno) ",
      "destinationPort": 443,
      "version": "5",
      "product": "VPN-1 & FireWall-1",
      "service_id": "https",
      "rule_uid": "dc76a632-8f9a-4b11-bc5c-e5b2071d01c0",
      "sourceTranslatedAddress": "62.14.242.186",
      "destinationTranslatedPort": 0,
      "session_uid": "{60E3F98E-0000-0000-0AFA-0003A05A0000}"
    }
  },
  "log": {
    "source": {
      "address": "10.250.1.80:52488"
    }
  },
  "source": {
    "port": 50002,
    "user": {
      "name": "Moisés Moreno (mmoreno) "
    },
    "ip": "10.250.254.18",
    "nat": {
      "port": 20562,
      "ip": "62.14.242.186"
    }
  }
}

I have increased the level to debug, but can't figure out the cause of the problem. Someone who can tell me where the problem is?

2

Did you compare your logs with Beats test samples: beats/x-pack/filebeat/module/cef/log/test at master · elastic/beats · GitHub ? You can try to spot difference in values.

3

Thanks Marcin, I'll check it

4

@rainierwolf are you running the Checkpoint Log Exporter? If so, we have a Checkpoint module which may be a better fit for you than the CEF module. It supports syslog in RFC5424 format from Log Exporter. Relevant documentation available here.

1 Like
5

Hello Jamie, I've configured the Checkpoint module it's working correctly!

Thanks

1 Like
6

Great to hear! Any other questions or feedback, let us know :slight_smile:

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.