Export Checkpoint logs to Rsyslog then read them with wazuh
235 views
Skip to first unread message
Wazuh user
Apr 25, 2024, 5:18:08 AM4/25/24
to Wazuh | Mailing List
Hi there,
I would like to know if it's possible to do that, and how to do that ?
I read some documentations to do it, and I created a Rsyslog on my Wazuh server, thinking it would be easier to read logs, but I don't think that's the good way to di it.
Then, I have configured the rsyslog as indicated in tutorials, like :
- Log Exporter Instructions for Specific SIEM (checkpoint.com)
- Log Exporter Instructions for Specific SIEM (checkpoint.com)
Do you have some recommandations to make it work correctly if it's possible ?
Thank you,
Regards
Obinna Uchubilo
Apr 25, 2024, 7:09:50 AM4/25/24
to Wazuh | Mailing List
Hello,
To use rsyslog, You will need to configure an endpoint that has the Wazuh agent installed. Checkpoint sends it logs to the endpoint with rsyslog and Wazuh agent installed. The rsyslog forwards the received logs to a file on the endpoint. Then, the Wazuh agent is configured to collect the logs from the file.
You could also use syslog to collect the log from your checkpoint.
- First, configure the Wazuh server to receive syslog messages.
- Secondly, configure the network devices to send syslog messages to the Wazuh server. We recommend that you read the documentation of the vendor you are using to figure out how to do this.
Regards
Wazuh user
Apr 25, 2024, 8:47:40 AM4/25/24
to Wazuh | Mailing List
Hi,
Thanks for your answer !
So, i read your docs, and I configured syslog listener on wazuh server and the rsyslog on a virtual machine. But, about the /etc/rsyslog.conf :
I'm begining in IT and Wazuh, sorry for having questions wich can be stupids....
Thanks for your answer !
So, i read your docs, and I configured syslog listener on wazuh server and the rsyslog on a virtual machine. But, about the /etc/rsyslog.conf :
If I understood well, I must replace 'Your Mirotik IP Address" by my checkpoint address, but my checkpoint is on cloud. How can I do to do it so ?
I'm begining in IT and Wazuh, sorry for having questions wich can be stupids....
Thanks in advance !
Obinna Uchubilo
Apr 29, 2024, 3:02:03 PM4/29/24
to Wazuh | Mailing List
Hi,
Yes, replace the 'Your Mirotik IP Address" with your checkpoint IP address. On how to get the IP address you can reference this document
Regards
Yes, replace the 'Your Mirotik IP Address" with your checkpoint IP address. On how to get the IP address you can reference this document
Regards
Reply all
Reply to author
Forward
0 new messages