CheckPoint appliances currently have two means of accessing their event logs. Those are:

1. The usual syslog mechanism which allows for transmitting logs to another server or software (available on OS versions 77.30+)
2. Any software or client based on the LEA (Log Export API), which is a part of the their OPSEC (Open Platform for Security) API, in order to act as an authenticated middleware for polling logs from the appliance and make them available for any software capable of parsing those logs.

Each appliance can either expose it’s logs directly, or be configured to push them to a centralised CheckPoint server (SmartCenter) from which they can be retrieved by one of the two methods mentioned above.

The logs are formatted as pipe(|)-separated key/value pairs, consisting of different fie based on the appliance part (blade) which produced them, namely (non-exhaustive list):

• FW-1/VPN-1
• Accounting
• SSL/Mobile Access
• IPS-1
• Antivirus
• Web Filtering
• Application Control
• QOS
• VoIP
• Connectra

Sample traffic log fields from a FW-1/VPN-1 blade

Field	Description
time	datetime the log was generated
i/f_dir	direction respective to the interface
i/f_name	interface which received the traffic
uuid	unique log chain identifier
product	blade that produced the log
inzone	zone of traffic origin
outzone	zone of traffic destination
session_id	unique identifier of the session
service_id	service used in the traffic
src	source IP
dst	destination IP
s_port	source port
d_port	destination port
proto	protocol used
rule	rule that triggered the log generation
__policy_id_tag	key-value container of policy info

For a full list of appliances/blades and their respective log fields, refer to the CheckPoint LEA field definitions document provided below.

References:

• CheckPoint OPSEC SDK 6.0 Documentation
• CheckPoint LEA field definitions
• VPN-1/FW-1 NG port mapping