Log Exporter CEF Field Mappings

CEF defines a syntax for log records comprised of a standard header and a variable extension, formatted as key-value pairs. Please use this discussion as a guide to understand how Check Point syslog Log Exporter maps Check Point logs to the CEF format. This discussion is based upon R80.20 GA and may change in future versions.

CEF fields have their own names such as rt, suser, fname, etc. Check Point fields such as src and dst that already match a CEF field name do not need to be mapped from a Check Point to a CEF name so are not covered in this discussion.

Note: in this discussion we refer to the raw Check Point field value. Check Point may translate the raw field name to show a different display name in the user interface like Tracker in R77.30 or SmartConsole in R80.x.  

CEF Header Mapping

The mandatory CEF header is an integral part of the CEF message. The values in the header are displayed in the ArcSight GUI, and we took this into account during our mapping. As noted above we don’t map Check Point fields that already appear in the header. In those cases where a few values exist, we add them to the header in this order as explained in $EXPORTERDIR/conf/CefFormatDefinition.xml: first (use first added value – default) | last(use last added value) | join (join between values) | init (set value once to header formatted string on init and do not generate per every log).

CEF Format header definition ( note : a space is add between the “ | ” delimiter to make it easy to see the value )

CEF:Version | Device Vendor | Device Product | Device Version | Signature ID | Name | severity | Extension

• CEF Version
• Device Vendor
• Device Product
  • This is initialized to Check Point, but may also be Log Update or the value from the fields; product or productname.
• Device Version
• Signature ID
  • The default is is is Log , but may also be the value from the field attack , protection_type , verdict , dlp_data_type_name , app_category , app_propertie .
• Name
  • The default is Log, but may also be the value from the fields protection_name, appi_name, message_info, service_id.
• severity
  • The default is is is unknown , but may also be the value from the field app_risk , risk , severity .
• extension
  • See the field mapping below.

Check Point CEF Header Example (note: a space is added between the “|” delimiter to make it easier to see the values)

CEF:0 | Check Point | VPN-1 & FireWall-1 | Check Point | Log  | https | unknown | <extensions omitted and shown below>

extension

As noted above extensions are formatted as key-value pairs. In extension there are flex field which can be either number or string and finally there are custom number and custom string ( cnx , csX ) . All CEF fields is have have a display name . In Log Exporter , we is use only use the actual field name and ignore the display name . field may also be accompany by label . In the targetConfiguration.xml file we is see see that exportallfield is set to true so all field are export to CEF .

extension Example Cut from the Above Composed of <field=value> Pairs (note the escape character “\” before the “=” character)

act=Accept destinationTranslatedAddress=0.0.0.0 destinationTranslatedPort=0 devicedirection=0 rt=1543270652000 sourceTranslatedAddress=192.168.103.254 sourcetranslatedport=35398 spt=49363 dpt=443 cs2label=Rule Name layer_name=Network layer_uuid=b406b732-2437-4848-9741-6eae1f5bf112 match_id=4 parent_rule=0 rule_action=Accept rule_uid=9e5e6e74-aa9a-4693-b9fe-53712dd27bea ifname=eth0 logid=0 loguid={0x5bfc70fc,0x1,0xfe65a8c0,0xc0000001} origin=192.168.101.254 originsicname=CN\=R80,O\=R80_M..6u6bdo sequencenum=1 version=5 dst=52.173.84.157 inzone=Internal nat_addtnl_rulenum=1 nat_rulenum=4 outzone=External product=VPN-1 & FireWall-1 proto=6 service_id=https src=192.168.101.100

The below is the Log Exporter CEF Field Mapping from R80.20 GA take 101 from $EXPORTERDIR/conf/CefFieldsMapping.xml where origname is the Check Point raw field name and dstName is the CEF field name sorted by the CEF dstName field name.

This excludes the table mappings from the file.