Overview

This article explains how to ingest your Check Point appliances' logs to Hunters.

Supported data types

All Check Point Security Logs, as detailed in this Check Point article, are supported by Hunters.

Supported log formats

Hunters expects Check Point log files to be in the Check Point Syslog format, as outputted by the Check Point Log Exporter.

The following is an example of a typical log line:

[action:"Accept"; flags:"000000"; ifdir:"inbound"; ifname:"eth3"; logid:"0";
 origin:"192.168.1.1"; user:"John Smith (j.smith) "]
CODE

To achieve this result, be sure to send the logs as-is without extra wrappers and customizations. If you are using Fluentd as your Syslog server, additional instructions to achieve this can be found here.

Prerequisites

Set up a Syslog server that will capture logs coming from the Check Point Log Exporter, and ship them to a cloud storage solution such as S3.

Exporting logs from appliances to S3

Step 1 - Forward logs to the Syslog server

Follow Check Point's Log Export documentation to start forwarding logs from the Check Point log servers to your Syslog server. Be sure to ship the logs in the Syslog RFC 5424 format.

If Fluentd is used as your syslog server, set support_colonless_ident to false.

Step 2 - Ship the logs from the Syslog server to S3

Configure the Syslog server to ship the logs received by Syslog to an S3 bucket shared with Hunters.

If you're using Fluentd, make sure to send only the actual Syslog payload (the extradata section), by adding this clause to the out_s3 configuration:

<format>
    @type single_value
    message_key extradata
</format>
CODE

Step 3 - Verify files written to S3

  1. Browse to the S3 bucket to which the Syslog forwarder is set to send data.

  2. Download the latest file and open it.

  3. Make sure it is formatted as detailed in the Supported log formats section above.

Step 4 - Grant Hunters access to the S3 bucket

Create an IAM role attached to a policy that lets Hunters get objects from the S3 bucket, as described in the Access to Cloud Storage chapter.

Step 5 - Contact Hunters' representative

Contact your account manager to start ingesting this data into the platform.