Docs

:::::{admonition} Prefer to use {{agent}} for this use case? Refer to the Elastic Integrations documentation.

::::{dropdown} Learn more {{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed comparison of {{beats}} and {{agent}}.

::::

:::::

This is a module for Check Point firewall logs. It supports logs from the Log Exporter in the Syslog RFC 5424 format. If you need to ingest Check Point logs in CEF format then please use the CEF module (more fields are provided in the syslog output).

To configure a Log Exporter, please refer to the documentation by Check Point.

Example Log Exporter config:

cp_log_export add name testdestination target-server 192.168.1.1 target-port 9001 protocol udp format syslog

::::{tip} Read the quick start to learn how to configure and run modules. ::::

Compatibility [_compatibility_7]

This module has been tested against Check Point Log Exporter on R80.X but should also work with R77.30.

Configure the module [configuring-checkpoint-module]

You can further refine the behavior of the checkpoint module by specifying variable settings in the modules.d/checkpoint.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

Variable settings [checkpoint-settings]

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the checkpoint module uses the defaults.

For advanced use cases, you can also override input settings. See Override input settings.

::::{tip} When you specify a setting at the command line, remember to prefix the setting with the module name, for example, checkpoint.firewall.var.paths instead of firewall.var.paths. ::::

firewall fileset settings [_firewall_fileset_settings]

Example config:

- module: checkpoint
  firewall:
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9001

var.paths : An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log/*/*.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.

var.syslog_host : The interface to listen to UDP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.

var.syslog_port : The UDP port to listen for syslog traffic. Defaults to 9001.

var.timezone_offset : IANA time zone or time offset (e.g. +0200) to use when interpreting syslog timestamps without a time zone. Defaults to UTC.

var.tags : A list of tags to include in events. Including forwarded indicates that the events did not originate on this host and causes host.name to not be added to events. Defaults to [checkpoint-firewall, forwarded].

var.ssl : The SSL/TLS configuration for the filebeat instance. This can be used to enforce mutual TLS.

ssl:
  enabled: true
  certificate_authorities: ["my-ca.pem"]
  certificate: "filebeat-cert.pem"
  key: "filebeat-key.pem"
  client_authentication: "required"

Check Point devices [_check_point_devices_2]

This module will parse Check Point Syslog data as documented in: Checkpoint Log Fields Description.

Check Point Syslog extensions are mapped as follows to ECS: