000026985 - How to run the Check Point collection service from command line for troubleshooting on an RSA Security Analytics Log Collector

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026985
Applies ToRSA Security Analytics
RSA Security Analytics Log Collector
Check Point Firewall
IssueHow to run the Check Point collection service from command line for troubleshooting on an RSA Security Analytics Log Collector.

The NwCheckpointProcess program is used by the NwLogCollector to collect events from Checkpoint servers using the OPSEC LEA API. It can also be used as a command line utility to probe a Checkpoint server, verifying connectivity and debugging connection problems. The following is an example of the syntax:

NwCheckpointProcess --ip --name Test --port 18184 --sdn CN=MyCheckpoint,o=test.lab.org --cdn CN=enVision_OPSEC,o=test.lab.org --cen enVision_OPSEC --kfp /etc/netwitness/ng/truststore/MyCertificate.p12 --count 10 --time 120 --timeout 30

There are some options to the NwCheckpointProcess that have no value. The presence of the option causes a configuration action. For example, to show the log files on the server, the following would be entered: NwCheckpointProcess --showlogs


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.


The text below is an example of the NwCheckpointProcess --showlogs output.

Table of Options:
option name    argument   required   description
name             yes        yes      server name
ip               yes        yes      server ip
sdn              yes        yes      server distinguished name
cdn              yes        yes      client distinguished name
cen              yes        yes      client entity name
kfp              yes        yes      key file path
count            yes                 stop on count
config           yes                 configuration file path
port             yes                 server port
timeout          yes                 stop on idle time
time             yes                 stop on time
file             yes                 file id on server
record           yes                 record number to start reading from
audit                                read audit records
online                               behavior at log boundary - keep reading
offline                              behavior at log boundary - stop reading
help                                 display help
debug                                turn on verbose NW log messages
odebug                               turn on verbose OPSEC log messages
start                                read from start of file
end                                  read from end of file
showlogs                             show logs on server
showfiles                            show files on server
pretty                               format events for display

Legacy Article IDa66617