Help required with CheckPoint Decoder
46 views
Skip to first unread message
Prasad Velankar
Jan 19, 2026, 7:09:46 AMJan 19
to Wazuh | Mailing List
Hello ,
I am looking for help with decoder for CheckPoint logs-
2025-01-19T06:42:53.322752+05:30 192.168.1.1 CEF: 0|Check Point|VPN-1 & FireWall-1|Check Point|Reject|cp_tcp_A936BBAC_EBC3_4F18_B3CC_A63365F07477|Unknown|act=Reject app=HTTPS destinationTranslatedAddress=0.0.0.0 destinationTranslatedPort=0 deviceDirection=0 rt=1768821172000 sourceTranslatedAddress=116.72.25.6 sourceTranslatedPort=30165 spt=53118 dpt=443 cs2Label=Rule Name cs2=Internet Access Blocked Category layer_name=Network layer_uuid=63b7fe60-76d2-4287-bca5-21af87337b0a match_id=16 parent_rule=0 rule_action=Reject rule_uid=4c6a3319-3146-ce7b84692bc0 conn_direction=Outgoing contextnum=1 ifname=eth1 logid=0 loguid={0xff017026,0xfe62e77a,0x62f0fe92d} origin=192.168.7.1 originsicname=cn\=cp_mgmt,o\=acfw01..9c3cwq sequencenum=74 version=5 context_num=1 dst=52.168.112.66 hll_key=8041615528 inzone=Internal nat_addtnl_rulenum=0 nat_rule_uid=7d40-4852-a28a-64b75ec46d50 nat_rulenum=30 needs_browse_time=1 outzone=External product=VPN-1 & FireWall-1 proto=6 service_id=cp_tcp_A936BBAC_EBC3_4F18_B3CC_A63365F07477 sig_id=13 src=192.168.1.134
Currently i am getting below response -
timestamp: '2025-01-19T06:42:53.322752+05:30'
program_name: 'CEF'
**Phase 2: Completed decoding.
No decoder matched.
program_name: 'CEF'
**Phase 2: Completed decoding.
No decoder matched.
Regards,
Prasad
Olamilekan Abdullateef Ajani
Jan 19, 2026, 11:24:57 AMJan 19
to Wazuh | Mailing List
Hello Prasad,
I made a sample custom decoder and rule for your reference below. You can take this as a sample when creating decoders and rule for other requirements you may have.
/var/ossec/etc/decoders/local_decoder.xml
<decoder name="checkpoint-cef-parent">
<program_name>CEF</program_name>
<prematch>\|Check Point\|VPN-1</prematch>
</decoder>
<decoder name="checkpoint-cef-fields">
<parent>checkpoint-cef-parent</parent>
<regex type="pcre2">\w+\|Check Point\|.*?\|act=(\S+).*?app=(\S+).*?spt=(\d+).*?dpt=(\d+).*?cs2=([^=]+?)\s+layer_name=.*?rule_action=(\S+).*?inzone=(\S+)</regex>
<order>checkpoint.action,application,srcport,dstport,rule_name,rule_action,inzone</order>
</decoder>
And rule:
/var/ossec/etc/rules/local_rules.xml
<group name="checkpointtest,">
<rule id="112987" level="7">
<decoded_as>checkpoint-cef-parent</decoded_as>
<description>checkpoint traffic log captured</description>
</rule>
</group>
You can refer to the documentation below on creating decoders and rules for further references on this. Do let me know if you require further clarification.
/var/ossec/etc/decoders/local_decoder.xml
<decoder name="checkpoint-cef-parent">
<program_name>CEF</program_name>
<prematch>\|Check Point\|VPN-1</prematch>
</decoder>
<decoder name="checkpoint-cef-fields">
<parent>checkpoint-cef-parent</parent>
<regex type="pcre2">\w+\|Check Point\|.*?\|act=(\S+).*?app=(\S+).*?spt=(\d+).*?dpt=(\d+).*?cs2=([^=]+?)\s+layer_name=.*?rule_action=(\S+).*?inzone=(\S+)</regex>
<order>checkpoint.action,application,srcport,dstport,rule_name,rule_action,inzone</order>
</decoder>
And rule:
/var/ossec/etc/rules/local_rules.xml
<group name="checkpointtest,">
<rule id="112987" level="7">
<decoded_as>checkpoint-cef-parent</decoded_as>
<description>checkpoint traffic log captured</description>
</rule>
</group>
You can refer to the documentation below on creating decoders and rules for further references on this. Do let me know if you require further clarification.
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
Reply all
Reply to author
Forward
0 new messages