CheckPoint appliances currently have two means of accessing their event logs. Those are:
Each appliance can either expose it’s logs directly, or be configured to push them to a centralised CheckPoint server (SmartCenter) from which they can be retrieved by one of the two methods mentioned above.
The logs are formatted as pipe(|)-separated key/value pairs, consisting of different fie based on the appliance part (blade) which produced them, namely (non-exhaustive list):
|time||datetime the log was generated|
|i/f_dir||direction respective to the interface|
|i/f_name||interface which received the traffic|
|uuid||unique log chain identifier|
|product||blade that produced the log|
|inzone||zone of traffic origin|
|outzone||zone of traffic destination|
|session_id||unique identifier of the session|
|service_id||service used in the traffic|
|rule||rule that triggered the log generation|
|__policy_id_tag||key-value container of policy info|
For a full list of appliances/blades and their respective log fields, refer to the CheckPoint LEA field definitions document provided below.