[Filebeat] Add module for Checkpoint Firewall #16041
Assignees
Labels
Comments
|
Pinging @elastic/siem (Team:SIEM) |
andrewkroh
changed the title
|
@leehinman Since not yet supported by beats, how are you currently shipping SIEM events? |
adriansr
added a commit
to adriansr/beats
that referenced
this issue
Mar 18, 2020
This adds a new ingest pipeline and fields to populate from Check Point CEF logs. Closes elastic#16041
adriansr
added a commit
that referenced
this issue
Mar 18, 2020
* Make CEF key name mapping case-insensitive There's some case inconsistency in CEF docs (i.e. C6a4Label). Better to ignore case when mapping keys to full names. * Add missing custom CEF extensions This adds: - `deviceCustomIPv6Address2(Label)`: Only 1, 3 and 4 were expected. - `flexNumber[12](Label)`: These two alternative custom numbers were dropped after V23 of the spec, but still used by some vendors. [Maybe unnecessary] changes: - Changed the case of `DeviceCustomNumber2` from uppercase as documented) to lowercase to align with the other fields. * CEF module: Support Check Point devices This adds a new ingest pipeline and fields to populate from Check Point CEF logs. Closes #16041
|
Thank you @adriansr ! |
adriansr
added a commit
to adriansr/beats
that referenced
this issue
Mar 19, 2020
* Make CEF key name mapping case-insensitive There's some case inconsistency in CEF docs (i.e. C6a4Label). Better to ignore case when mapping keys to full names. * Add missing custom CEF extensions This adds: - `deviceCustomIPv6Address2(Label)`: Only 1, 3 and 4 were expected. - `flexNumber[12](Label)`: These two alternative custom numbers were dropped after V23 of the spec, but still used by some vendors. [Maybe unnecessary] changes: - Changed the case of `DeviceCustomNumber2` from uppercase as documented) to lowercase to align with the other fields. * CEF module: Support Check Point devices This adds a new ingest pipeline and fields to populate from Check Point CEF logs. Closes elastic#16041 (cherry picked from commit f6fde2e)
adriansr
added a commit
that referenced
this issue
Mar 20, 2020
…vices (#17111) * Make CEF key name mapping case-insensitive There's some case inconsistency in CEF docs (i.e. C6a4Label). Better to ignore case when mapping keys to full names. * Add missing custom CEF extensions This adds: - `deviceCustomIPv6Address2(Label)`: Only 1, 3 and 4 were expected. - `flexNumber[12](Label)`: These two alternative custom numbers were dropped after V23 of the spec, but still used by some vendors. [Maybe unnecessary] changes: - Changed the case of `DeviceCustomNumber2` from uppercase as documented) to lowercase to align with the other fields. * CEF module: Support Check Point devices This adds a new ingest pipeline and fields to populate from Check Point CEF logs. Closes #16041 (cherry picked from commit f6fde2e)
|
This was closed after merging CEF support for Check Point but shouldn't have been closed as this is just support for the CEF output but not for Check Point logs in general. |
|
@adriansr: what’s the difference here? |
|
Check Point can generate logs in CEF format, so we updated the cef module to understand the custom fields it adds. But also has it's own log format which is the default and provides more information than CEF. We'll add a new module to support those logs. |
6 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Most likely using Checkpoint Log Exporter and CEF format
Checkpoint can export logs via CEF using their "Log Exporter". I found a list of mappings:
https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-CEF-Field-Mappings/td-p/41060
Info on Log Exporter:
https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-guide/td-p/9035
https://sc1.checkpoint.com/documents/R80.20.M2/WebAdminGuides/EN/CP_R80.20_M2_LoggingAndMonitoring_AdminGuide/html_frameset.htm?topic=documents/R80.20.M2/WebAdminGuides/EN/CP_R80.20_M2_LoggingAndMonitoring_AdminGuide/203039
The text was updated successfully, but these errors were encountered: