CheckPoint appliances currently have two means of accessing their event logs. Those are:
Each appliance can either expose it’s logs directly, or be configured to push them to a centralised CheckPoint server (SmartCenter) from which they can be retrieved by one of the two methods mentioned above.
The logs are formatted as pipe(|)-separated key/value pairs, consisting of different fie based on the appliance part (blade) which produced them, namely (non-exhaustive list):
Field | Description |
---|---|
time | datetime the log was generated |
i/f_dir | direction respective to the interface |
i/f_name | interface which received the traffic |
uuid | unique log chain identifier |
product | blade that produced the log |
inzone | zone of traffic origin |
outzone | zone of traffic destination |
session_id | unique identifier of the session |
service_id | service used in the traffic |
src | source IP |
dst | destination IP |
s_port | source port |
d_port | destination port |
proto | protocol used |
rule | rule that triggered the log generation |
__policy_id_tag | key-value container of policy info |
For a full list of appliances/blades and their respective log fields, refer to the CheckPoint LEA field definitions document provided below.
References: