This article explains how to ingest your Check Point appliances' logs to Hunters.
Supported data types
All Check Point Security Logs, as detailed in this Check Point article, are supported by Hunters.
Supported log formats
Hunters expects Check Point log files to be in the Check Point Syslog format, as outputted by the Check Point Log Exporter.
The following is an example of a typical log line:
[action:"Accept"; flags:"000000"; ifdir:"inbound"; ifname:"eth3"; logid:"0"; origin:"192.168.1.1"; user:"John Smith (j.smith) "]
To achieve this result, be sure to send the logs as-is without extra wrappers and customizations. If you are using Fluentd as your Syslog server, additional instructions to achieve this can be found here.
Set up a Syslog server that will capture logs coming from the Check Point Log Exporter, and ship them to a cloud storage solution such as S3.
Exporting logs from appliances to S3
Step 1 - Forward logs to the Syslog server
Follow Check Point's Log Export documentation to start forwarding logs from the Check Point log servers to your Syslog server. Be sure to ship the logs in the Syslog RFC 5424 format.
If Fluentd is used as your syslog server, set support_colonless_ident to false.
Step 2 - Ship the logs from the Syslog server to S3
Configure the Syslog server to ship the logs received by Syslog to an S3 bucket shared with Hunters.
If you're using Fluentd, make sure to send only the actual Syslog payload (the
extradata section), by adding this clause to the
<format> @type single_value message_key extradata </format>
Step 3 - Verify files written to S3
Browse to the S3 bucket to which the Syslog forwarder is set to send data.
Download the latest file and open it.
Make sure it is formatted as detailed in the Supported log formats section above.
Step 4 - Grant Hunters access to the S3 bucket
Create an IAM role attached to a policy that lets Hunters get objects from the S3 bucket, as described in the Access to Cloud Storage chapter.
Step 5 - Contact Hunters' representative
Contact your account manager to start ingesting this data into the platform.