This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Is anyone parsing Checkpoint Audit Logs succesfully?

Go to solution
david_waugh
Beginner
Beginner

‎2018-02-19 12:15 PM

Hi is anyone successfully collecting Checkpoint Audit logs in Netwitness 10.6.5 or higher?

I have a case open with Support at the moment. Security logs are captured fine but Audit logs dont seem to be being collected.

 

If I run the NwCheckpointProcess with the --odebug flag i can see the logs phyiscally arriving at the log collector. However, from there they never make it into the GUI, even though the Security Logs do make it through.

 

The internal case refrence is 01116330 if anyone want to see.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
david_waugh
Beginner
Beginner
In response to ThomasFedorchuk

‎2018-02-21 11:31 AM

Thanks Thomas.

I found out the problem on my side.

 

I had set up the collection of Audit logs using a persistent connection (polling interval -1). This tends to batch events before forwarding them, so for a low level of audit logs it delayed them being sent through.

 

The next problem when they did come through was that they were not being parsed with the out of the box Check Point parser. For example the CheckPoint logs contains Administrator=myadminstrator.

With the out of the box parser this is being put into the Administrator meta key which may not be defined. I redefined it so that it put it into the username field. Then the name of the administrators showed up.

 

There is quite a lot of customisation needed in table-map-custom.xml to get parsed entries to actually show in the GUI.

View solution in original post

0 Likes
2 REPLIES 2

Go to solution
ThomasFedorchuk
Occasional Contributor Occasional Contributor
Occasional Contributor

‎2018-02-19 03:35 PM

Hi David,

 

I'm collecting CP Audit logs in my lab... (SA 10.6.5 / CP R76).

The Audit logs are parsing and showing as msg.id "checkpoint_event" and Event Category Name "other.default".

0 Likes

Go to solution
david_waugh
Beginner
Beginner
In response to ThomasFedorchuk

‎2018-02-21 11:31 AM

Thanks Thomas.

I found out the problem on my side.

 

I had set up the collection of Audit logs using a persistent connection (polling interval -1). This tends to batch events before forwarding them, so for a low level of audit logs it delayed them being sent through.

 

The next problem when they did come through was that they were not being parsed with the out of the box Check Point parser. For example the CheckPoint logs contains Administrator=myadminstrator.

With the out of the box parser this is being put into the Administrator meta key which may not be defined. I redefined it so that it put it into the username field. Then the name of the administrators showed up.

 

There is quite a lot of customisation needed in table-map-custom.xml to get parsed entries to actually show in the GUI.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.