Hi,
Can you please advise if it is possible to collect the logs from Checkpoint firewalls running on Splat or Nokia platforms and pass them to LEM so they can be viewed without the need to log onto the firewalls directly?
Thanks,
Ross
The way the checkpoint integration works is by connecting to the management station corresponding to your single/multiple firewalls, and gathering the centralized logs from there. It's done securely using checkpoint's log API (OPSEC LEA), which means we have to have a certificate and be a valid object in checkpoint's database. If you've got 1 management station per firewall (or aren't using standalone management stations), you will have to connect to each to generate the secure certificate/connection.
Some customers in the past have used client logging modules to separate logging from the firewall/management station.
We do support both SPLAT and IPSO, it's all the same software and management APIs. (Some of the UTMs and other firewalls are other software, which does stuff via syslog instead of the secure logging API.)
Hi Nicole,
Thanks for the info. Can you also advise if we are able to pull logs from Sourcefire Defence Centre using LEM? Would this work in a similar way to Checkpoint logs?
Many thanks,
Ross.
The only way we get Sourcefire events is via syslog, we don't have any API connectivity to the centralized system.
nicole,
what is the best practice for sourcefire? I have pointed sourcefire to local4 and created a new snort connector looking at local4.log. Im not seeing anything and dont see any detailed documentation like for the other vendors.
