Check Point Firewall - Cloud SIEM
This section has instructions for collecting Check Point Firewall log messages and sending them to Sumo Logic to be ingested by Cloud SIEM.
Step 1: Configure collection
In this step, you configure a Syslog Source to collect Check Point Firewall log messages. You can configure the source on an existing Installed Collector or create a new collector. If you’re going to use an existing collector, jump to Configure a Syslog Source below. Otherwise, create a new collector as described in Configure an Installed Collector below, and then create the Syslog Source on the collector.
Configure an Installed Collector
-
Classic UI. In the main Sumo Logic menu, select Manage Data > Collection > Collection.
New UI. In the top menu select Configuration, and then under Data Collection select Collection. You can also click the Go To... menu at the top of the screen and select Collection. -
Click Add Collector.
-
Click Installed Collector.
-
The Add Installed Collector popup appears.
-
Download the appropriate collector for your operating system.
-
Install the collector. Instructions for your preferred operating system and method of installation are available on the Installed Collectors page.
-
Once the collector is installed, confirm it is available on the Collection page and select Edit.
-
The Edit Collector popup appears.
-
Name. Provide a Name for the Collector.
-
Description. (Optional)
-
Category. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called
_sourceCategory
. -
Fields.
- If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the +Add Field link, and add a field whose name is
_siemForward
and value is true. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM. - If you are planning that all sources you add to this collector will use the same log parser (if they are the same type of log), click the +Add Field link, and add a field whose name is
_parser
with the value /Parsers/System/Check Point/Check Point Firewall Syslog. This will cause all sources on the collector to use the specified parser.
noteIt’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
- If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the +Add Field link, and add a field whose name is
-
Click Save.
Configure a Syslog Source
- Classic UI. In the main Sumo Logic menu, select Manage Data > Collection > Collection.
New UI. In the top menu select Configuration, and then under Data Collection select Collection. You can also click the Go To... menu at the top of the screen and select Collection. - Navigate to the Installed Collector where you want to create the source.
- On the Collectors page, click Add Source next to an Installed Collector.
- Select Syslog.
- The page refreshes.
- Name. Enter a name for the source.
- Description. (Optional)
- Protocol. Select the protocol that your syslog-enabled devices are currently using to send syslog data, UDP or TCP. For more information, see Choosing TCP or UDP on the Syslog Source page.
- Port. Enter the port number for the Source to listen to. If the collector runs as root (default), use 514. Otherwise, consider 1514 or 5140. Make sure the devices are sending to the same port.
- Source Category. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called
_sourceCategory
. Make a note of the source category. You’ll supply it in Step 2 below. - Fields.
- If you have not configured the Installed Collector to forward all sources in the collector to Cloud SIEM, click the +Add Field link, and add a field whose name is
_siemForward
and value is true. - If you have not configured the Installed Collector to parse all sources in the collector with the same parser, click the +Add Field link, and add a field whose name is
_parser
with the value /Parsers/System/Check Point/Check Point Firewall Syslog.
- If you have not configured the Installed Collector to forward all sources in the collector to Cloud SIEM, click the +Add Field link, and add a field whose name is
- Click Save.
Step 2: Configure Check Point Firewall
In this step you configure Check Point Firewall to send log messages to the Sumo Logic platform. Sumo Logic supports the default Syslog format from Check Point’s Log Exporter. For more information on Syslog forwarding see Log Exporter - Check Point Log Export in Check Point help
Step 3: Verify Ingestion
In this step, you verify that your logs are successfully making it into Cloud SIEM.
- Classic UI. In the top menu select Configuration, and then under Incoming Data select Log Mappings.
New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Log Mappings. You can also click the Go To... menu at the top of the screen and select Log Mappings. - On the Log Mappings page search for "checkpoint" and check under Record Volume.
- For a more granular look at the incoming Records, you can also search the Sumo Logic platform for Check Point Firewall security records.