Javascript is required for MOREAL Online Documentation to function properly. Please enable Javascript by adjusting your browser settings.

CheckPoint Log Structure

CheckPoint appliances currently have two means of accessing their event logs. Those are:

  1. The usual syslog mechanism which allows for transmitting logs to another server or software (available on OS versions 77.30+)
  2. Any software or client based on the LEA (Log Export API), which is a part of the their OPSEC (Open Platform for Security) API, in order to act as an authenticated middleware for polling logs from the appliance and make them available for any software capable of parsing those logs.

Each appliance can either expose it’s logs directly, or be configured to push them to a centralised CheckPoint server (SmartCenter) from which they can be retrieved by one of the two methods mentioned above.

The logs are formatted as pipe(|)-separated key/value pairs, consisting of different fie based on the appliance part (blade) which produced them, namely (non-exhaustive list):

  • FW-1/VPN-1
  • Accounting
  • SSL/Mobile Access
  • IPS-1
  • Antivirus
  • Web Filtering
  • Application Control
  • QOS
  • VoIP
  • Connectra
  • Sample traffic log fields from a FW-1/VPN-1 blade

    Field Description
    time datetime the log was generated
    i/f_dir direction respective to the interface
    i/f_name interface which received the traffic
    uuid unique log chain identifier
    product blade that produced the log
    inzone zone of traffic origin
    outzone zone of traffic destination
    session_id unique identifier of the session
    service_id service used in the traffic
    src source IP
    dst destination IP
    s_port source port
    d_port destination port
    proto protocol used
    rule rule that triggered the log generation
    __policy_id_tag key-value container of policy info

    For a full list of appliances/blades and their respective log fields, refer to the CheckPoint LEA field definitions document provided below.