Checkpoint integration in Wazuh
1,398 views
Skip to first unread message
Wazuh user
Apr 4, 2024, 6:43:14 AM4/4/24
to Wazuh | Mailing List
Hello,
I would like to integrate the Checkpoint firewall solution into Wazuh that I have just installed.
I just looked into it, and there are several ways to do it, but I don't understand everything.
I saw that it was possible to add in nano /var/ossec/etc/ossec.conf :
<integration>
<name>harmony_endpoint</name>
<api_key>API_KEY</api_key>
<level>10</level>
<alert_format>json</alert_format>
</integration>
or
<integration>
<name>checkpoint</name>
<hook_url>WEBHOOK_URL</hook_url>
<alert_format>json</alert_format>
</integration>
_____________
Also, I saw that it was necessary to add a decoder but I think it already exists? (/var/ossec/ruleset/decoders/0050-checkpoint_decoders.xml).
Note that my checkpoint is a solution to which we subscribe, and therefore it is not a virtual/physical machine.
Sorry if it's not clear, I'm French and I'm trying to do my best ^^.
Best regards
I would like to integrate the Checkpoint firewall solution into Wazuh that I have just installed.
I just looked into it, and there are several ways to do it, but I don't understand everything.
I saw that it was possible to add in nano /var/ossec/etc/ossec.conf :
<integration>
<name>harmony_endpoint</name>
<api_key>API_KEY</api_key>
<level>10</level>
<alert_format>json</alert_format>
</integration>
or
<integration>
<name>checkpoint</name>
<hook_url>WEBHOOK_URL</hook_url>
<alert_format>json</alert_format>
</integration>
_____________
Also, I saw that it was necessary to add a decoder but I think it already exists? (/var/ossec/ruleset/decoders/0050-checkpoint_decoders.xml).
Note that my checkpoint is a solution to which we subscribe, and therefore it is not a virtual/physical machine.
Sorry if it's not clear, I'm French and I'm trying to do my best ^^.
Best regards
Matías David Mercado Aragonés
Apr 8, 2024, 6:58:55 AM4/8/24
to Wazuh | Mailing List
Hi, thanks for using Wazuh,
In your case you should not need an integration, but you can forward the syslog events directly from your network device. Network devices usually have a configuration to forward the syslog were you set the destination IP where the logs are going to be forward. Once you do this you can forward both the events through an agent in the middle or directly to the Wazuh Manager. If you want to use an agent, then you need to configure Rsyslog for Linux / Logstash on Windows. For this configuration you can follow this documentation: Forward syslog events.
The Wazuh server can also collect logs via syslog from endpoints such as firewalls, you can perform the following steps on the Wazuh server to receive syslog messages on a specific port (default 514) Configuring syslog on the Wazuh server.
Take into considetarion that once the logs are ingested you will need to check if they are decoded and alerts are being ingested. You can check the following reference documentation on decoders and rules: Custom rules and decoders.
If you have further question, let my know.
Regards,
Matías.
In your case you should not need an integration, but you can forward the syslog events directly from your network device. Network devices usually have a configuration to forward the syslog were you set the destination IP where the logs are going to be forward. Once you do this you can forward both the events through an agent in the middle or directly to the Wazuh Manager. If you want to use an agent, then you need to configure Rsyslog for Linux / Logstash on Windows. For this configuration you can follow this documentation: Forward syslog events.
The Wazuh server can also collect logs via syslog from endpoints such as firewalls, you can perform the following steps on the Wazuh server to receive syslog messages on a specific port (default 514) Configuring syslog on the Wazuh server.
Take into considetarion that once the logs are ingested you will need to check if they are decoded and alerts are being ingested. You can check the following reference documentation on decoders and rules: Custom rules and decoders.
If you have further question, let my know.
Regards,
Matías.
Matías David Mercado Aragonés
Apr 8, 2024, 6:58:55 AM4/8/24
to Wazuh | Mailing List
Hi, thanks for using Wazuh.
In your case you don't need an integration, but you can forward the syslog events directly from your network device. Network devices usually have a configuration to forward the syslog were you set the destination IP where the logs are going to be forward. Once you do this, you can forward both events throght an agent in the middle or directly to the Wazuh Manager. If you want to use an agent, then you need to confiure Rsyslog for Linux / Logstash on Windows. For this configuration you can follow this part of the documentation: Forward syslog events
The Wazuh server can also collect logs via syslog from endpoints such as firewalls, you can perform the following steps on the Wazuh server to receive syslog messages on a specific port (default 514) Configuring syslog on the Wazuh server. Take into consideration that once the logs are ingested you will need to check if they are decoded and alerts arebeing ingested. You can check the following reference documentation on decoders and rules: Custom rules and decoders.
In your case you don't need an integration, but you can forward the syslog events directly from your network device. Network devices usually have a configuration to forward the syslog were you set the destination IP where the logs are going to be forward. Once you do this, you can forward both events throght an agent in the middle or directly to the Wazuh Manager. If you want to use an agent, then you need to confiure Rsyslog for Linux / Logstash on Windows. For this configuration you can follow this part of the documentation: Forward syslog events
The Wazuh server can also collect logs via syslog from endpoints such as firewalls, you can perform the following steps on the Wazuh server to receive syslog messages on a specific port (default 514) Configuring syslog on the Wazuh server. Take into consideration that once the logs are ingested you will need to check if they are decoded and alerts arebeing ingested. You can check the following reference documentation on decoders and rules: Custom rules and decoders.
Please, let me know if you have further questions.
Regards,
Matías
Matías
On Thursday, April 4, 2024 at 7:43:14 AM UTC-3 Wazuh user wrote:
Wazuh user
Apr 22, 2024, 8:17:04 AM4/22/24
to Wazuh | Mailing List
Hello, thank you for your answer !
I did as indicated in the tutorial, but I don't have the impression that the logs from my Checkpoint are uploaded correctly to my wazuh. Is it the fact that my Checkpoint is a cloud solution?
Thanks in advance,
I did as indicated in the tutorial, but I don't have the impression that the logs from my Checkpoint are uploaded correctly to my wazuh. Is it the fact that my Checkpoint is a cloud solution?
Thanks in advance,
Regards
Reply all
Reply to author
Forward
0 new messages