Overview
Check Point Anti-Malware is a component on Endpoint Security Windows Clients that protects clients from viruses, worms, Trojans, adwares and keyloggers.
The CheckPointAntiMalwareLog module identifies and parses logs ingested from Check Point Anti-Malware.
Sample Logs
2022-06-06 10:13:01 hostname 1XX.XXX.XXX.XXX CEF:0|Check Point|Anti Malware|Check Point|Log|Log|High|cp_severity=High deviceDirection=0 msg=Error occurred while accessing:www.example.com rt=1654481578000 alert=alert ifname=daemon loguid={0x629d62ac,0x1e,0x8a5a11ac,0x36886ca} origin=1XX.XXX.XXX.XXX sequencenum=26 version=5 product=Anti Malware reason=Failed to fetch Check Point resources. Couldn't resolve host name, check /opt/CPsuite-R81/fw1/log/rad_events/Errors/flow_140125_45982949 For more details
2022-06-06 10:10:37 hostname 1XX.XXX.XXX.XXX CEF:0|Check Point|Anti Malware|Check Point|Log|Log|Very-High|cp_severity=Very-High cs2Label=Update Status deviceCustomDate2Label=Subscription Expiration deviceCustomDate2= deviceDirection=1 rt=1654481436000 loguid={0x629d621d,0xd,0x8a5a11ac,0x36886ca} origin=1XX.XXX.XXX.XXX originsicname=CN=aaaaa,O=aaaaa..aaaaaa sequencenum=18 version=5 contract_name=Anti Bot Basic Metadata log_id=4 product=Anti Malware special_properties=0 subscription_stat=expired subscription_stat_desc=Contract is expired.
Fields
Field | Description |
---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | CheckPointAntiMalwareLog |
SEVERITY | Event severity |
ORIGIN | Name of the first Security Gateway that reported this event |
MESSAGE | Event Message |
SNAREDATAMAP | Data that were not mapped to any of the above fields are pushed here. |
Notes
The ORIGIN field is derived from origin or originsicname. CN value of originsicname will be used first. If originsicname is not available, origin will be used.
The MESSAGE field is derived from either msg or subscription_stat_desc values.
All other fields are appended in SNAREDATAMAP field.
References:
https://community.checkpoint.com/t5/Management/Log-Exporter-CEF-Field-Mappings/m-p/41060