Documentation Center
AlienVault® USM Anywhere™

CheckPoint FW1 Loggrabber

When you configure CheckPoint FW1 Loggrabber to send log data to USM Anywhere, you can use the CheckPoint FW1 Loggrabber plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor CheckPoint
Device Type Firewall
Connection Type Syslog

Integrating CheckPoint FW1 Loggrabber

Before you configure the CheckPoint FW1 Loggrabber integration, you must have the IP Address of the USM Anywhere Sensor.

To configure CheckPoint FW1 Loggrabber to send Syslog messages to USM Anywhere

To receive log data from CheckPoint FW1 devices, you need to first set up a computer running Linux and then install and configure CheckPoint FW1 Loggrabber (on that same machine), to retrieve the logs from a CheckPoint FW1 firewall device and forward them to the USM Anywhere Sensor.

Note: For LogGrabber installation instructions on Linux, see https://github.com/certego/fw1-loggrabber/wiki/Build-and-install-FW1-LogGrabber.

CheckPoint FW1 Loggrabber has two configuration files:

  • fw1-loggrabber.conf — Primary configuration file that contains information on how the actual log extraction should be performed.
  • lea.conf — Contains details about the firewall to be connected.

Configuration parameters in the fw1-loggrabber.conf file include the following:

  • LOGGING_CONFIGURATION=<screen|file|syslog|odbc>

    The LOGGING_CONFIGURATION parameter is used for redirection of logging output to destinations other than the default STDOUT destination.

    Note: Currently, it is possible to redirect output only to a file or to a syslog daemon from Linux machines.

    Using the parameters OUTPUT_FILE_PREFIX and OUTPUT_FILE_ROTATESIZE, you can specify more configuration details, if you choose to redirect the output to a file. If you have chosen ODBC, you have to specify the DSN with the parameter ODBC_DSN.

  • SYSLOG_FACILITY=<USER|LOCAL0|...|LOCAL7>

    This parameter specifies the syslog facility to be used (on Linux systems only). Setting this parameter is only effective when running CheckPoint FW1 Loggrabber with LOGGING_CONFIGURATION=SYSLOG.

The following files provides an example of the CheckPoint FW1 Logger configuration for USM Anywhere.

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • customfield_0

  • customfield_1

  • customfield_2

  • customfield_4

  • customfield_5

  • destination_address

  • destination_port

  • destination_translated_address

  • destination_translated_port

  • device_direction

  • event_description

  • event_name

  • policy

  • rep_device_address

  • rep_device_inbound_interface

  • rep_device_model

  • rep_device_outbound_interface

  • source_address

  • source_port

  • source_translated_address

  • source_translated_port

  • timestamp_occured

  • transport_protocol

Additional Resources and Troubleshooting

https://www.checkpoint.com

For troubleshooting, see the vendor documentation.