[checkpoint] Update README with instructions on using logfile input (e…

…lastic#11766) Revises the Check Point integration readme to include detailed instructions on utilizing the logfile input feature.
harnish-elastic · Dec 7, 2024 · 586f0fb · 586f0fb
1 parent 42bd8ea
commit 586f0fb
Show file tree

Hide file tree

Showing 5 changed files with 428 additions and 21 deletions.
diff --git a/packages/checkpoint/_dev/build/docs/README.md b/packages/checkpoint/_dev/build/docs/README.md
@@ -26,21 +26,40 @@ This integration has been tested against Check Point Log Exporter on R81.X.
 
 ## Setup
 
-1. Install Elastic Agent on a host between your Check Point Log Exporter instance and Elastic Cluster. The agent will be used to receive syslog data from your Check Point firewalls and ship the events to Elasticsearch. 
-2. For each firewall device you wish to monitor, create a new [Log Exporter/SIEM object](https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_LoggingAndMonitoring_AdminGuide/Topics-LMG/Log-Exporter-Configuration-in-SmartConsole.htm?tocpath=Log%20Exporter%7C_____2) in Check Point *SmartConsole*. Set the target server and target port to the Elastic Agent IP address and port number. Set the protocol to UDP or TCP, the Check Point integration supports both. Set the format to syslog.
-3. Configure the Management Server or Dedicated Log Server object in *SmartConsole*.
-4. Install the database within *SmartConsole* (steps included in the Checkpoint docs linked above).
-5. Within Kibana, browse to Integrations and locate the Check Point integration, and 'Add Check Point'
-6. Configure the TCP or UDP input, depending on the protocol you configured Check Point to use. 
-7. Add a certificate if using Secure Syslog over TCP with TLS (optional)
-8. Add integration to a New/Existing policy. 
-9. Browse to dashboard/discover to validate data is flowing from Check Point. 
-
 For step-by-step instructions on how to set up an integration, see the
 [Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide.
 
 In some instances firewall events may have the same Checkpoint `loguid` and arrive during the same timestamp resulting in a fingerprint collision. To avoid this [enable semi-unified logging](https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_LoggingAndMonitoring_AdminGuide/Topics-LMG/Log-Exporter-Appendix.htm?TocPath=Log%20Exporter%7C_____9) in the Checkpoint dashboard.
 
+### TCP or UDP
+
+Elastic Agent can receive log messages directly via TCP or UDP syslog messages. The Elastic Agent will be used to receive syslog data from your Check Point firewalls and ship the events to Elasticsearch. 
+
+1. For each firewall device you wish to monitor, create a new [Log Exporter/SIEM object](https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_LoggingAndMonitoring_AdminGuide/Topics-LMG/Log-Exporter-Configuration-in-SmartConsole.htm?tocpath=Log%20Exporter%7C_____2) in Check Point *SmartConsole*. Set the target server and target port to the Elastic Agent IP address and port number. Set the protocol to UDP or TCP, the Check Point integration supports both. Set the format to syslog.
+2. Configure the Management Server or Dedicated Log Server object in *SmartConsole*.
+3. Install the database within *SmartConsole* (steps included in the Checkpoint docs linked above).
+4. Within Kibana, browse to Integrations and locate the Check Point integration, and 'Add Check Point'.
+5. Add Elastic Agent to host with Fleet, or install Elastic Agent manually after configuring the integration.
+6. Configure the TCP or UDP input, depending on the protocol you configured Check Point to use.
+7. Add a certificate if using Secure Syslog over TCP with TLS (optional)
+8. Add integration to a New/Existing policy.
+9. Browse to dashboard/discover to validate data is flowing from Check Point.
+
+### Logfile
+
+Elastic Agent can process log messages by monitoring a log file on a host receiving syslog messages. The syslog server will receive messages from Check Point, write to a logfile, and Elastic Agent will watch the log file to send to the Elastic Cluster. 
+
+1. Install a syslog server on a host between your Check Point Log Exporter instance and Elastic Cluster. 
+2. Configure the syslog server to write logs to a logfile.
+3. For each firewall device you wish to monitor, create a new [Log Exporter/SIEM object](https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_LoggingAndMonitoring_AdminGuide/Topics-LMG/Log-Exporter-Configuration-in-SmartConsole.htm?tocpath=Log%20Exporter%7C_____2) in Check Point *SmartConsole*. Set the target server and target port to the syslog server. Set the protocol to UDP or TCP, the Check Point integration supports both. Set the format to syslog.
+4. Configure the Management Server or Dedicated Log Server object in *SmartConsole*.
+5. Install the database within *SmartConsole* (steps included in the Checkpoint docs linked above).
+6. Within Kibana, navigate to the Integrations section and locate the Check Point integration. Click on the "Add Check Point" button to initiate the integration process.
+7. Add Elastic Agent to host with Fleet, or install Elastic Agent manually after configuring the integration.
+8. Configure the logfile input, to monitor the logfile pattern that the syslog server will write to.
+9. Add integration to a New/Existing policy.
+10. Browse to dashboard/discover to validate data is flowing from Check Point.
+
 ## Logs reference
 
 ### Firewall

diff --git a/packages/checkpoint/changelog.yml b/packages/checkpoint/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.34.4"
+  changes:
+    - description: Add instructions on using logfile input
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/11766
 - version: "1.34.3"
   changes:
     - description: Align hostname grok pattern with syslog RFC.