Tomi Reiman

Documentation on Check Point FW-1 event format

Discussion created by Tomi Reiman on Jul 12, 2016
Latest reply on Jul 15, 2016 by Tomi Reiman

It seems that either RSA Security Analytics is not using the common fw1-loggrabber to fetch Check Point FW-1 events, or the tool is at least heavily modified. What I am looking for is the list of all fields extracted by Check Point event collection in the cases of both Security and Audit events. As you probably know, the events collected by the Check Point collection module are comma-separated values, with multiple fields usually containing an empty value. This leads me to believe that the fetcher is actually always fetching all the fields, and because not all event types contain all fields, the resulting raw events contain empty values. What I would like to know is the list of all the fields that are fetched, and whether the ordering of the fields in the resulting raw event is always the same.