Log Types: CheckPointAntiMalwareLog

Overview

Check Point Anti-Malware is a component on Endpoint Security Windows Clients that protects clients from viruses, worms, Trojans, adwares and keyloggers.

The CheckPointAntiMalwareLog module identifies and parses logs ingested from Check Point Anti-Malware.

Sample Logs

2022-06-06 10:13:01 hostname 1XX.XXX.XXX.XXX CEF:0|Check Point|Anti Malware|Check Point|Log|Log|High|cp_severity=High deviceDirection=0 msg=Error occurred while accessing:www.example.com rt=1654481578000 alert=alert ifname=daemon loguid={0x629d62ac,0x1e,0x8a5a11ac,0x36886ca} origin=1XX.XXX.XXX.XXX sequencenum=26 version=5 product=Anti Malware reason=Failed to fetch Check Point resources. Couldn't resolve host name, check /opt/CPsuite-R81/fw1/log/rad_events/Errors/flow_140125_45982949 For more details

2022-06-06 10:10:37 hostname 1XX.XXX.XXX.XXX CEF:0|Check Point|Anti Malware|Check Point|Log|Log|Very-High|cp_severity=Very-High cs2Label=Update Status deviceCustomDate2Label=Subscription Expiration deviceCustomDate2= deviceDirection=1 rt=1654481436000 loguid={0x629d621d,0xd,0x8a5a11ac,0x36886ca} origin=1XX.XXX.XXX.XXX originsicname=CN=aaaaa,O=aaaaa..aaaaaa sequencenum=18 version=5 contract_name=Anti Bot Basic Metadata log_id=4 product=Anti Malware special_properties=0 subscription_stat=expired subscription_stat_desc=Contract is expired.

Fields

Field

Description

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

CheckPointAntiMalwareLog

SEVERITY

Event severity

ORIGIN

Name of the first Security Gateway that reported this event

MESSAGE

Event Message

SNAREDATAMAP

Data that were not mapped to any of the above fields are pushed here.

Notes

  • The ORIGIN field is derived from origin or originsicname. CN value of originsicname will be used first. If originsicname is not available, origin will be used.

  • The MESSAGE field is derived from either msg or subscription_stat_desc values.

  • All other fields are appended in SNAREDATAMAP field.

References:

Log Exporter CEF Field Mappings

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192