Logs from Firewall CheckPoint

Hello,

I am new in Elastic, and I want to send the logs of our firewalls CheckPoint to logstash. I configurate the log exporter in CheckPoint, however we dont know how received and configurate this information in logstash.

I need create one file in logstash with input and filters? Anyone have done it?

Any advance?

Not done it yet myself, but try the CheckPoint module in Filebeat.
You could, on your logstash server, run filebeat, with the checkpoint module enabled, listening on some port. You configure checkpoint to send logs to that port. Configure filebeat to read them in and then output to logstash.

Using this module benefits you because it comes with all the parsers to parse the chkp logs to the proper ecs fields, so you dont have to write filters in logstash to do that.

Hi,

I read the documentation, and I download filebeat 7.8 in my logstash server, this have CheckPoint module. I enabled it, and this have this configuration

  • module: checkpoint
    firewall:
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9001

I have a question, the var.syslog_host is the IP from CheckPoint firewall? And I need configure the output for send the elasticsearch or if I use this module I should be able of view from filebeat index pattern?

No, var.syslog_host is the interface on the logstash server to listen on. 0.0.0.0 means listen on all interfaces. Otherwise, you could just put in the IP of the logstash server itself, not the CHKP.
So on your CHKP, you configure it to send logs to UDP 9001 of the logstash/filebeat server IP.
Have you read https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-checkpoint.html?

As for outputs, filebeat supports output directly to elasticsearch if desired, as well as to logstash and others. See https://www.elastic.co/guide/en/beats/filebeat/master/configuring-output.html

OK. I understand, I could put the IP of my server, as I trying because if the firts time with Elastic I have a deployment of Kibana, elasticsearch and logstash in the same server. IN CP is ok the configuration.

Thanks

hello,

I dont know if I have any error in the configuration look:

Module: checkpoint

  • module: checkpoint
    firewall:
    enabled: true

    Set which input to use between syslog (default) or file.

    var.input: syslog

    The interface to listen to UDP based syslog traffic. Defaults to

    localhost. Set to 0.0.0.0 to bind to all available interfaces.

    var.syslog_host: 172.18.110.35

    The UDP port to listen for syslog traffic. Defaults to 9001.

    #var.syslog_port: 9001
    var.syslog_port: 514

output.elasticsearch:
hosts: ["https://172.18.110.35:9200"]
index: "filebeat-%{[agent.version]}-%{+yyyy.MM.dd}"

this is the configuration on the module checkpoint.yml. and in Kibana I have an index pattern filebeat-*, but I dont see any information.

Where did you get "var.input: syslog" from? I don't see that as a valid option anywhere in https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-checkpoint.html.

You would know if you have an error in your config if you view the /var/log/filebeat/filebeat file and maybe /var/log/syslog. Restart filebeat and watch those files for any messages.

Also:
Confirm you see logs coming in (tcpdump udp port 514).
Confirm you are connected to elasticsearch (netstat -an | grep 9200)

Hello,

Thank for your help. I can review and I found one error. I reviewed tcpdump in elastic server and I getting traffic from port 514, I can see this in overview for index pattern filebeat-*. My question is Should I see this en section SIEM tab network? Or not?

I review the format JSON of one log and I getting it:

Provided Grok expressions do not match field value: [<134>1 2020-06-22T00:09:36Z CP_BOG CheckPoint 5561 - [action:"Accept"; flags:"278528"; ifdir:"inbound"; ifname:"eth0"; logid:"1"; loguid:"{}"; origin:"X.X.X.X";

I need create a grok or edit any another parameter?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.