Check Point

  • Updated on May 8, 2025
  • Published on May 14, 2023
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Checkpoint traffic logs

✅

✅

checkpoint_traffic

Syslog

S3

Overview

imageThis article explains how to ingest your Check Point appliances' logs to Hunters.

Check Point Infinity's portfolio of solutions protects enterprises and public organisations from 5th generation cyber-attacks with an industry leading catch rate of malware, ransomware and other threats.

Supported data types

Checkpoint traffic logs

Table name: checkpoint_traffic

Checkpoint traffic logs record data and analysis related to the flow of network traffic through Checkpoint firewall devices. These logs include detailed information on allowed and blocked traffic, tracking source and destination IP addresses, ports used, protocols, action taken by the firewall, and more. They are essential for security analysis, troubleshooting network issues, and ensuring compliance with security policies.

Send data to Hunters

💡Before you start

To complete the connection of these logs, you'll need to set up a Syslog server.

To complete the connection of these logs, you'll need to forward logs from Check Point's Log Exporter to a Syslog server and then ship them to AWS S3.

1. Forward Logs to the Syslog server

Follow Check Point's Log Export documentation to start forwarding logs from the Check Point log servers to your Syslog server. Be sure to ship the logs in the Syslog RFC 5424 format. If you are using Fluentd as your syslog server, set support_colonless_ident to false.

2. Ship the logs from the Syslog server to S3

📘 Useful resources

Use this detailed guide to learn how best to set up an S3 bucket for Hunters ingestion purposes and how to provide Hunters platform with access to the bucket.

Configure the Syslog server to ship the logs received to an S3 bucket shared with Hunters. If you're using Fluentd, make sure to send only the actual Syslog payload (the extradata section), by adding this clause to the out_s3 configuration:

<format>
    @type single_value
    message_key extradata
</format>

3. Verify files were written to S3

  1. Browse to the S3 bucket to which the Syslog forwarder is set to send data.

  2. Download the latest file and open it.

  3. Make sure it is formatted as detailed in the Supported log formats section below.

4. Grant Hunters access to the S3 bucket

Complete the process as described in this guide.

Expected format

Hunters expects Check Point log files to be in the Check Point Syslog format, as outputted by the Check Point Log Exporter. The following is an example of a typical log line:

[action:"Accept"; flags:"000000"; ifdir:"inbound"; ifname:"eth3"; logid:"0";
 origin:"192.168.1.1"; user:"John Smith (j.smith) "]

To achieve this result, send the logs as-is without extra wrappers and customizations. If you are using Fluentd as your Syslog server, additional instructions to achieve this can be found here.