Collect Check Point firewall logs

This parser extracts Check Point firewall logs. It handles both CEF and non-CEF formatted messages, including syslog, key-value pairs, and JSON. It normalizes fields, maps them to the UDM, and performs specific logic for login/logout, network connections, and security events. It enriches the data with contextual information like geolocation and threat intelligence.

Before you begin

• Ensure that you have a Google Security Operations instance.
• Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
• If running behind a proxy, ensure firewall ports are open.
• Ensure that you have privileged access to a Check Point Firewall.

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer ID from the Organization Details section.

Install Bindplane Agent

1. For Windows installation, run the following script:
   msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
2. For Linux installation, run the following script:
   sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
3. Additional installation options can be found in this installation guide.

Configure Bindplane Agent to ingest Syslog and send to Google SecOps

1. Access the machine where Bindplane is installed.

2. Edit the config.yaml file as follows:

   receivers:
       udplog:
           # Replace the below port <54525> and IP <0.0.0.0> with your specific values
           listen_address: "0.0.0.0:54525" 
   
   exporters:
       chronicle/chronicle_w_labels:
           compression: gzip
           # Adjust the creds location below according the placement of the credentials file you downloaded
           creds: '{ json file for creds }'
           # Replace <customer_id> below with your actual ID that you copied
           customer_id: <customer_id>
           endpoint: malachiteingestion-pa.googleapis.com
           # You can apply ingestion labels below as preferred
           ingestion_labels:
           log_type: SYSLOG
           namespace: Checkpoint_Firewall
           raw_log_field: body
   service:
       pipelines:
           logs/source0__chronicle_w_labels-0:
               receivers:
                   - udplog
               exporters:
                   - chronicle/chronicle_w_labels
   

3. Restart the Bindplane Agent to apply the changes:

   sudo systemctl restart bindplane
   

Configure Syslog Export in a Check Point Firewall

1. Sign in to the Check Point firewall UI using a privileged account.
2. Go to Logs & Monitoring > Log Servers.
3. Navigate to Syslog Servers.
4. Click Configure, and set the following values:
   • Protocol: select UDP to send security logs and/or system logs.
   • Name: provide a unique name (for example, Bindplane_Server).
   • IP Address: provide your syslog server IP address (Bindplane IP).
   • Port: provide your syslog server Port (Bindplane Port).
5. Select Enable log server.
6. Select logs to forward: Both system and security logs.
7. Click Apply.

UDM Mapping Table

Need more help? Get answers from Community members and Google SecOps professionals.