Checkpoint logs

[Shawn Wiley]

Hi. Has anyone written up how to take in Checkpoint Fw-1 logs into security onion?

[Doug Burks]

Hi Shawn,

ELSA should support Checkpoint logs:
http://ossectools.blogspot.com/2012/02/new-elsa-log-parsers.html

Have you tried sending your Checkpoint logs to the syslog collector on
your Security Onion box?

On Thu, Nov 13, 2014 at 11:46 AM, Shawn Wiley <slw...@gmail.com> wrote:
> Hi. Has anyone written up how to take in Checkpoint Fw-1 logs into security onion?
>

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Shawn Wiley]

I'm having a difficult time getting the logs to Security onion. What have people used successfully to import Checkpoint logs? FW-1_Loggrabber? I'd love to find a write up on how to install loggrabber on security onion. I'm in the process of replacing an enterprise Arcsight deployment with Security onion. Thanks.

[Doug Burks]

Looking at https://github.com/certego/fw1-loggrabber, I think some of
the authors are on this list, so perhaps they may chime in.

I'd try that source code, roughly following these instructions:
https://www.alienvault.com/docs/collect/CheckpointR70-loggrabber.pdf

Assuming that tool dumps the logs into a local log file, you should
then just need to update your /etc/syslog-ng/syslog-ng.conf file with
the new log as a new "source" and then restart syslog-ng:
sudo service syslog-ng restart

On Thu, Nov 13, 2014 at 11:58 AM, Shawn Wiley <slw...@gmail.com> wrote:
> I'm having a difficult time getting the logs to Security onion. What have people used successfully to import Checkpoint logs? FW-1_Loggrabber? I'd love to find a write up on how to install loggrabber on security onion. I'm in the process of replacing an enterprise Arcsight deployment with Security onion. Thanks.
>

[Shawn Wiley]

Thanks for the help!

So far I have established a connection and am bringing Checkpoint logs into security onion. They are being stored in /var/logs/fw1-grabber.log.

I edited syslog-ng.conf by adding a new source called s_checkpoint and added the same name below under log. (Does it matter what I called the new source?)

I went into the schema.sql and un-commented everything that said checkpoint and restarted the syslog-ng service.

When I go into ELSA I see the logs listed under syslog-ng programs as checkpoint and I see the logs being recorded but they don't look parsed/formatted.

How do I know if ELSA is parsing the logs? Is there anything else I need to do before I can move on to creating alerting and correlation rules?

[Andrea De Pasquale]

Shawn,
I'm sorry for the late reply.

Doug is correct, you can follow these instructions: https://www.alienvault.com/docs/collect/CheckpointR70-loggrabber.pdf. Some instructions are also inside the man page https://github.com/certego/fw1-loggrabber/blob/master/fw1-loggrabber.1. I will take care of converting the man page to a more web-friendly format, e.g. by copying the content to GitHub's wiki.

At the moment we don't have fully working patterndb (ELSA) parsers yet, as soon as we do we will consider pushing that to the official repo so that it will be available to everyone.

In the meantime, if you have contributions, suggestions, etc feel free to open an issue and/or a pull request on github.

Cheers,
-- Andrea De Pasquale

[Andrea De Pasquale]

On Monday, November 24, 2014 11:18:26 AM UTC+1, Andrea De Pasquale wrote:
> I will take care of converting the man page to a more web-friendly format, e.g. by copying the content to GitHub's wiki.

Done, official documentation is now here:
https://github.com/certego/fw1-loggrabber/wiki/FW1-LOGGRABBER

-- Andrea De Pasquale

[Shawn Wiley]

Thanks for the info. I've decided to use security onion as my monitoring solution which means Ill be creating a few custom parsers and will definitely post everything I create here for review and then hopefully they will help someone else. I tried to modify the checkpoint parser that comes with ELSA (it's commented out of the stock install). I got it to work but the s0-5 and i0-5 don't match up correctly. Is there a mapping i.e. i0 always equals srcip and i1 always equals dstip? Mine parse out mixed up. Im sure I can fix this with a little trial and error but I'd like to know the correct way to get it right the first time. Thanks again and I look forward to getting this up and running over the next two weeks.

[Andrea De Pasquale]

On Monday, November 24, 2014 7:03:36 PM UTC+1, Shawn Wiley wrote:
> I tried to modify the checkpoint parser that comes with ELSA (it's commented out of the stock install). I got it to work but the s0-5 and i0-5 don't match up correctly. Is there a mapping i.e. i0 always equals srcip and i1 always equals dstip? Mine parse out mixed up.

Shawn,
here's some relevant documentation:
https://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation#Adding_Parsers

Rather than uncommenting the stock patterndb file, I suggest you to create a custom ELSA parser: https://code.google.com/p/security-onion/wiki/CustomELSAParsers. You can always merge the file into the main ELSA repo later.

You'll also need to populate MySQL tables "classes", "fields" and "fields_classes_map". In short: values "i0"..."i5" are 5...10 in the mapping and values "s0"..."s5" are 11...16 in the mapping.

Cheers,
-- Andrea