You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@metron.apache.org by "Kyle Richardson (JIRA)" <ji...@apache.org> on 2016/08/16 01:46:20 UTC

[jira] [Commented] (METRON-355) Check Point log collection

    [ https://issues.apache.org/jira/browse/METRON-355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15422028#comment-15422028 ] 

Kyle Richardson commented on METRON-355:
----------------------------------------

I agree that Check Point only really supports OPSEC LEA as a means of collecting their logs; however, log collection and log parsing are different functions and it's probably best to separate them into distinct features.

That said, there are also two other issues, METRON-182 and METRON-194, related to Check Point log parsing. Can these be consolidated down? If not, is the goal to support the Check Point OS (e.g. GAIA) audit logging as well as "Software Blade" logging (e.g. Firewall, IPS, etc.)?


> Check Point log collection
> --------------------------
>
>                 Key: METRON-355
>                 URL: https://issues.apache.org/jira/browse/METRON-355
>             Project: Metron
>          Issue Type: Wish
>            Reporter: Yohann
>            Priority: Minor
>
> To export the logs to an external log management solution, Check Point has developed the OPSEC framework which allows third party applications to interact with firewalls. One of the feature is to get a copy of logs using the LEA protocol. LEA means "Log Export API" and provides the ability to pull logs from a Check Point device via the port TCP/18184. What about Syslog could you ask? It is simply not possible in an out-of-the-box way! 
> Commercial log management/SIEM solutions support OPSEC and they MUST do (Check Point is one of the market leaders).
> The open source solution FW1-LogGrabber is a Linux command-line tool to grab logfiles from remote Checkpoint devices and could be integrated into Metron.
> Documentation:
> * [Check Point Firewall Logs and Logstash (ELK) Integration|https://blog.rootshell.be/2014/08/28/check-point-firewall-logs-and-logstash-elk-integration/]
> * [FW1-LogGrabber|https://github.com/certego/fw1-loggrabber]
> * [OPSEC|https://www.checkpoint.com/partners/opsec/]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)