...
The full tag must have four levels. The first two are fixed as firewall.checkpoint. The third level identifies the tool used to forward the events and the fourth is required but you are free to define it as you like (we suggest using it to identify the location of the machine that is the event source, for example, dmz).
Technology | Brand | Tool | Group |
|---|---|---|---|
firewall | checkpoint | fw | <group> |
gaia |
| ||
lea | <group> | ||
log_exporter | <group> |
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
|---|---|
firewall.checkpoint.log_exporter.<group> | firewall.checkpoint.log_exporter |
firewall.checkpoint.gaia.<group> | firewall.checkpoint.gaia |
firewall.checkpoint.lea.<group> | firewall.checkpoint.lea |
firewall.checkpoint.fw.<group> | firewall.checkpoint.fw |
These tags are designed to accommodate the different ways that the firewall events can be exported to Devo.
If you use the Check Point Log Exporter, then it is the firewall.checkpoint.log_exporter.<group> tag. This is the recommended option.
If you use the ArcSight SmartConnector for Check Point, then it is the firewall.checkpoint.gaia.<group> tag.
If you use OPSEC LEA, then it is the firewall.checkpoint.lea.<group> tag.
If you use any other method, then it is the firewall.checkpoint.fw.<group> tag.
...