Anyone tried to set up CheckPoint LEEF Log Source?
I get only unknown events, it seems that event category is not set up properly.
I get logs like that:
LEEF:2.0|Check Point|VPN-1 & FireWall-1|1.0|Drop|cat=Drop devTime=1558377110 …
EventID=Drop
cat=Drop
In my opinion cat shoul be: VPN-1 & FireWall-1, so probably I’ve set up something wrong on checkPoint xml LeefFormatDefinition or LeefFieldsMapping.
Unfortunately documentation is not helpful to troubleshoot that issue.
Any ideas? Thx in advance.
P.S.
When I open a unknown event in DSM Editor I can override Event Category with regex - than everything looks fine, but only in DSM Editor window. (I get LLC, event name and qid set up properly.) When I save it, I’m still getting unknown event.
When I open Event and Map Event I get EventID= Drop Event Category=Drop
Log source type isn’t necessarily going to change how the event is interpreted and it certainly won’t change display order of information in the event itself.
Just tested that and still the same unknown events. I can not override event category to make it work.
I think checkpoint sends thise logs wrongly formated and maps wrong Field to cat Field.
Do you receive correct category Field? Can you share your CheckPoint xml config? (LeefFieldsMapping.xml, LeefFormatDefinition.xml)
Gotcha. We had a similar issue with a unique log source event. It ended up being the god damn brand the software company was adding to events. QRadar couldn’t interpret the event because it saw all their title and other shit at the front of the event.
We had them strip all their crap off the event and QRadar figured it out as a Linux log source immediately.
Check $EXPORTERDIR/targets/<deployment_name>/conf/LeefFieldsMapping.xml on Checkpoint server and make sure “cat” field ONLY maps from “product” filed. Case sensitive. Remove other mappings to “cat” if any. Then restart LEEF service. It should solve your problem.