So far I have established a connection and am bringing Checkpoint logs into security onion. They are being stored in /var/logs/fw1-grabber.log.
I edited syslog-ng.conf by adding a new source called s_checkpoint and added the same name below under log. (Does it matter what I called the new source?)
I went into the schema.sql and un-commented everything that said checkpoint and restarted the syslog-ng service.
When I go into ELSA I see the logs listed under syslog-ng programs as checkpoint and I see the logs being recorded but they don't look parsed/formatted.
How do I know if ELSA is parsing the logs? Is there anything else I need to do before I can move on to creating alerting and correlation rules?