Despite the information available on both Checkpoint and IBM's support site, I still found the process a tad convoluted. Below is a short and sweet summary of how I got the Checkpoint to ship logs to QRadar in a way that made sense to QRadar.
Configure the Checkpoint Log Exporter
Execute the below command on your Checkpoint SMS:
cp_log_export add name qradar target-server target-port 514 protocol tcp format leef read-mode semi-unified
Verify LeefFieldMapping.xml
Navigate to /opt/CPrt-R80/log_exporter/targets/qradar
Verify that the LeefFieldMapping.xml file is as per QRadar requirements defined here: https://www.ibm.com/support/pages/troubleshooting-check-point-syslog-leef-events-log-exporter-cplogexport-utility
Verify LeefFormatDefinition.xml
Navigate to $EXPORTERDIR/conf
Verify that the LeefFormatDefinition.xml is as per QRadar requirements defined here: https://www.ibm.com/support/pages/troubleshooting-check-point-syslog-leef-events-log-exporter-cplogexport-utility
Once done, restart the Log Exporter instance: cp_log_export restart name qradar
QRadar Configuration
My testing revealed that there are two pre-requisites required:
- Ensure you have the latest QRadar Checkpoint DSM (Device support module)
- Install IBM QRadar Custom Properties for Checkpoint from the QRadar App Exchange
Lastly, configure a new Checkpoint Log source (Admin -> Log Sources) which matches the settings you defined in your Checkpoint Log Exporter.
QRadar also supports Checkpoint integration via Opsec, but it seems that the Log Exporter is the preferred way for Checkpoint going forward.
Detailed troubleshooting can be found on the IBM Support site.
No comments:
Post a Comment