Parser Example
CheckPoint
CheckPoint
Overview
Parser xử lý CheckPoint logs trong JSON Wrapped Format - logs được ship qua Filebeat/Fluentd/Logstash với message field chứa key-value pairs theo định dạng CheckPoint key:"value"|key:value.
Input Format:
{"message":"time=1741053776|action:\"Accept\"|src:\"172.23.16.92\"|...", "vendor":"CheckPoint", "host":"hostname"}
Log Types:
- Firewall logs: action="Accept/Drop/Reject"
- VPN logs: vpn_feature_name="IPSec/Mobile Access"
- IPS/IDS logs: product="SmartDefense", attack detection
- Application Control: product="Application Control"
- URL Filtering: product="URL Filtering"
- DLP logs: product="DLP"
Message Content: key:"value"|key:value separated by pipe |
Sample Logs (JSON Wrapped Format)
1. Firewall - Accept Traffic
{"@timestamp":"2026-03-04T02:03:00.606Z","message":"time=1741053776|action:\"Accept\"|conn_direction:\"Outgoing\"|ifdir:\"outbound\"|ifname:\"bond1.3211\"|logid:\"0\"|loguid:\"{0xa6f6feb6,0x2eb8b933,0xb8d2077b,0x6ea31667}\"|origin:\"172.28.146.11\"|originsicname:\"CN=HaNoi-SMG165,O=HAL06-S-165..\"|sequencenum:\"32\"|time:\"1741053776\"|version:\"5\"|context_num:\"1\"|dst:\"172.23.5.2\"|layer_name:\"NB Security Policy Layer\"|match_id:\"58\"|parent_rule:\"0\"|rule_action:\"Accept\"|rule_name:\"Rule tam thoi\"|rule_uid:\"b2e74a92-a7db-46b0-a8b6-d8f1bcd2d63d\"|nat_rulenum:\"0\"|product:\"VPN-1 & FireWall-1\"|proto:\"17\"|s_port:\"58084\"|service:\"161\"|service_id:\"snmp\"|src:\"172.23.16.92\"","timestamp":"2026-03-04T02:03:00.606Z","vendor":"CheckPoint","host":"172.28.146.11"}
2. Firewall - Drop Traffic
{"@timestamp":"2026-03-04T09:15:22.445Z","message":"time=1741079722|action:\"Drop\"|conn_direction:\"Incoming\"|ifdir:\"inbound\"|ifname:\"eth0\"|logid:\"0\"|loguid:\"{0xb7f8adc4,0x3fc9d844,0xc9e3188c,0x7fb42778}\"|origin:\"192.168.100.1\"|sequencenum:\"145\"|time:\"1741079722\"|version:\"5\"|dst:\"192.168.10.50\"|layer_name:\"Security\"|match_id:\"12\"|parent_rule:\"0\"|rule_action:\"Drop\"|rule_name:\"Cleanup rule\"|rule_uid:\"c3d5cef6-87dc-57e1-bf25-55f6dcd3e74e\"|product:\"VPN-1 & FireWall-1\"|proto:\"6\"|s_port:\"44523\"|service:\"22\"|service_id:\"ssh\"|src:\"203.0.113.45\"|attack:\"Port Scan\"|attack_info:\"Multiple port scan detected\"","timestamp":"2026-03-04T09:15:22.445Z","vendor":"CheckPoint","host":"192.168.100.1"}
3. IPS - Intrusion Detected
{"@timestamp":"2026-03-04T11:30:20.890Z","message":"time=1741087820|action:\"Prevent\"|logid:\"0\"|loguid:\"{0xg2k3fij9,0x8kh4i399,0xh4j8633h,0x2kg97cc3}\"|origin:\"ips-sensor.company.com\"|time:\"1741087820\"|version:\"5\"|product:\"SmartDefense\"|attack:\"SQL Injection\"|attack_info:\"SQL Injection attempt detected in HTTP request\"|protection_name:\"SQL Injection Generic\"|protection_type:\"sql_injection\"|severity:\"Critical\"|confidence_level:\"High\"|src:\"203.0.113.200\"|dst:\"192.168.50.100\"|s_port:\"54321\"|service:\"80\"|service_id:\"http\"|proto:\"6\"|ifname:\"eth1\"|cve:\"CVE-2023-12345\"|rule_action:\"Prevent\"","timestamp":"2026-03-04T11:30:20.890Z","vendor":"CheckPoint","host":"ips-sensor.company.com"}
4. Anti-Virus - Malware Detected
{"@timestamp":"2026-03-04T13:15:40.456Z","message":"time=1741094140|action:\"Prevent\"|logid:\"0\"|loguid:\"{0xh3l4gjk0,0x9li5j400,0xi5k9744i,0x3lh08dd4}\"|origin:\"av-gateway.company.com\"|time:\"1741094140\"|version:\"5\"|product:\"Anti-Virus\"|malware_name:\"Trojan.Win32.Generic\"|malware_family:\"Trojan\"|file_name:\"malicious.exe\"|file_md5:\"5d41402abc4b2a76b9719d911017c592\"|file_sha256:\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"|src:\"192.168.100.50\"|dst:\"93.184.216.34\"|s_port:\"49152\"|service:\"80\"|proto:\"6\"|action:\"Prevent\"|severity:\"High\"","timestamp":"2026-03-04T13:15:40.456Z","vendor":"CheckPoint","host":"av-gateway.company.com"}
5. VPN - Connection Established
{"@timestamp":"2026-03-04T08:30:15.678Z","message":"time=1741076415|action:\"Accept\"|conn_direction:\"Internal\"|logid:\"0\"|loguid:\"{0xd9h0cfg6,0x5he1f066,0xe1g5300e,0x9hd64990}\"|origin:\"vpn-gateway.company.com\"|time:\"1741076415\"|version:\"5\"|vpn_feature_name:\"IPSec\"|peer_gateway:\"203.0.113.100\"|encryption_method:\"AES-256\"|authentication_method:\"SHA256\"|vpn_community:\"RemoteSites\"|src:\"172.16.10.50\"|dst:\"10.0.0.100\"|user:\"john.doe\"|tunnel_type:\"site_to_site\"|action:\"Accept\"|rule_name:\"VPN Accept\"","timestamp":"2026-03-04T08:30:15.678Z","vendor":"CheckPoint","host":"vpn-gateway.company.com"}
6. URL Filtering - Blocked
{"@timestamp":"2026-03-04T14:55:30.678Z","message":"time=1741100130|action:\"Drop\"|logid:\"0\"|loguid:\"{0xl7p8kno4,0x3pm9n844,0xm9o3188m,0x7pl42hh8}\"|origin:\"url-filter.company.com\"|time:\"1741100130\"|version:\"5\"|product:\"URL Filtering\"|resource:\"http://malicious-site.example.com/phishing.html\"|url_category:\"Phishing\"|url_reputation:\"Malicious\"|src:\"192.168.10.100\"|dst:\"198.51.100.150\"|s_port:\"55123\"|service:\"80\"|proto:\"6\"|action:\"Drop\"|rule_name:\"Block Malicious URLs\"|user:\"dave.brown\"","timestamp":"2026-03-04T14:55:30.678Z","vendor":"CheckPoint","host":"url-filter.company.com"}
Parser Configuration
#regex
#conditional
event_timestamp = ""
if (ts, err = to_string(.timestamp); err == null) {
event_timestamp = ts
}
log_message = ""
if (msg, err = to_string(.message); err == null) {
log_message = msg
}
vendor_str = ""
if (v, err = to_string(.vendor); err == null) { vendor_str = v }
host_str = ""
if (h, err = to_string(.host); err == null) { host_str = h }
event_module = "checkpoint"
event_category = ""
event_action = ""
event_outcome = ""
event_type = ""
log_level = "info"
source_ip = ""
source_port = ""
destination_ip = ""
destination_port = ""
network_protocol = ""
network_transport = ""
network_iana_number = ""
network_direction = ""
observer_vendor = "Check Point"
observer_hostname = ""
observer_product = ""
observer_interface = ""
user_name = ""
rule_name = ""
rule_id = ""
threat_name = ""
threat_type = ""
threat_category = ""
threat_id = ""
file_name = ""
file_md5 = ""
file_sha256 = ""
url_full = ""
url_domain = ""
if (src_m, err = parse_regex(log_message, r'src:"(?P<ip>[^"]+)"'); err == null) {
source_ip = to_string(src_m.ip)
}
if (sport_m, err = parse_regex(log_message, r's_port:"(?P<port>[^"]+)"'); err == null) {
source_port = to_string(sport_m.port)
}
if (dst_m, err = parse_regex(log_message, r'dst:"(?P<ip>[^"]+)"'); err == null) {
destination_ip = to_string(dst_m.ip)
}
if (svc_m, err = parse_regex(log_message, r'service:"(?P<port>[^"]+)"'); err == null) {
destination_port = to_string(svc_m.port)
}
if (proto_m, err = parse_regex(log_message, r'proto:"(?P<proto>[^"]+)"'); err == null) {
network_iana_number = to_string(proto_m.proto)
if proto_m.proto == "6" { network_transport = "tcp" }
if proto_m.proto == "17" { network_transport = "udp" }
if proto_m.proto == "1" { network_transport = "icmp" }
}
if (svcid_m, err = parse_regex(log_message, r'service_id:"(?P<svc>[^"]+)"'); err == null) {
network_protocol = downcase(to_string(svcid_m.svc))
}
if (action_m, err = parse_regex(log_message, r'action:"(?P<action>[^"]+)"'); err == null) {
act_str = to_string(action_m.action)
if act_str == "Accept" {
event_action = "allowed"
event_outcome = "success"
}
if act_str == "Drop" {
event_action = "denied"
event_outcome = "success"
}
if act_str == "Reject" {
event_action = "denied"
event_outcome = "success"
}
if act_str == "Prevent" {
event_action = "blocked"
event_outcome = "success"
}
}
if (rule_m, err = parse_regex(log_message, r'rule_name:"(?P<name>[^"]+)"'); err == null) {
rule_name = to_string(rule_m.name)
}
if (ruleuid_m, err = parse_regex(log_message, r'rule_uid:"(?P<uid>[^"]+)"'); err == null) {
rule_id = to_string(ruleuid_m.uid)
}
if (origin_m, err = parse_regex(log_message, r'origin:"(?P<host>[^"]+)"'); err == null) {
observer_hostname = to_string(origin_m.host)
}
if (product_m, err = parse_regex(log_message, r'product:"(?P<prod>[^"]+)"'); err == null) {
observer_product = to_string(product_m.prod)
}
if (ifname_m, err = parse_regex(log_message, r'ifname:"(?P<intf>[^"]+)"'); err == null) {
observer_interface = to_string(ifname_m.intf)
}
if (dir_m, err = parse_regex(log_message, r'conn_direction:"(?P<dir>[^"]+)"'); err == null) {
dir_val = to_string(dir_m.dir)
if dir_val == "Outgoing" { network_direction = "outbound" }
if dir_val == "Incoming" { network_direction = "inbound" }
if dir_val == "Internal" { network_direction = "internal" }
}
if (user_m, err = parse_regex(log_message, r'user:"(?P<user>[^"]+)"'); err == null) {
user_name = to_string(user_m.user)
}
if (attack_m, err = parse_regex(log_message, r'attack:"(?P<attack>[^"]+)"'); err == null) {
threat_name = to_string(attack_m.attack)
threat_type = "attack"
}
if (malware_m, err = parse_regex(log_message, r'malware_name:"(?P<malware>[^"]+)"'); err == null) {
threat_name = to_string(malware_m.malware)
threat_type = "malware"
}
if (protection_m, err = parse_regex(log_message, r'protection_name:"(?P<prot>[^"]+)"'); err == null) {
threat_rule = to_string(protection_m.prot)
}
if (cve_m, err = parse_regex(log_message, r'cve:"(?P<cve>[^"]+)"'); err == null) {
threat_id = to_string(cve_m.cve)
}
if (file_m, err = parse_regex(log_message, r'file_name:"(?P<file>[^"]+)"'); err == null) {
file_name = to_string(file_m.file)
}
if (md5_m, err = parse_regex(log_message, r'file_md5:"(?P<md5>[^"]+)"'); err == null) {
file_md5 = to_string(md5_m.md5)
}
if (sha256_m, err = parse_regex(log_message, r'file_sha256:"(?P<sha>[^"]+)"'); err == null) {
file_sha256 = to_string(sha256_m.sha)
}
if (resource_m, err = parse_regex(log_message, r'resource:"(?P<url>[^"]+)"'); err == null) {
url_full = to_string(resource_m.url)
if (domain_m, err = parse_regex(url_full, r'://(?P<domain>[^/]+)'); err == null) {
url_domain = to_string(domain_m.domain)
}
}
if (urlcat_m, err = parse_regex(log_message, r'url_category:"(?P<cat>[^"]+)"'); err == null) {
threat_category = to_string(urlcat_m.cat)
}
prod_str = to_string(observer_product)
if contains(log_message, "VPN-1") {
event_type = "connection"
event_category = "network"
if event_action == "" { event_action = "connection_attempt" }
}
if contains(prod_str, "SmartDefense") {
event_type = "denied"
event_category = "intrusion_detection"
if event_action == "" { event_action = "blocked" }
}
if contains(prod_str, "Anti-Virus") {
event_type = "denied"
event_category = "malware"
if event_action == "" { event_action = "blocked" }
}
if contains(prod_str, "Anti-Bot") {
event_type = "denied"
event_category = "malware"
if event_action == "" { event_action = "blocked" }
}
if contains(prod_str, "Application Control") {
event_type = "denied"
event_category = "network"
}
if contains(prod_str, "URL Filtering") {
event_type = "denied"
event_category = "web"
}
if contains(prod_str, "DLP") {
event_type = "denied"
event_category = "intrusion_detection"
}
if contains(log_message, "vpn_feature_name") {
event_type = "connection"
event_category = "network"
event_module = "checkpoint.vpn"
}
if event_category == "" { event_category = "network" }
if event_action == "" { event_action = "info" }
if event_outcome == "" { event_outcome = "unknown" }
if event_type == "" { event_type = "info" }
if observer_hostname == "" { observer_hostname = host_str }
#normalize
timestamp: format_timestamp!(parse_timestamp!(.timestamp, "%Y-%m-%dT%H:%M:%S.%3fZ"), "%Y-%m-%d %H:%M:%S")
event.module: event_module
event.category: event_category
event.action: event_action
event.outcome: event_outcome
event.type: event_type
log.level: log_level
message: log_message
source.ip: source_ip
source.port: source_port
destination.ip: destination_ip
destination.port: destination_port
network.transport: network_transport
network.protocol: network_protocol
network.iana_number: network_iana_number
network.direction: network_direction
observer.vendor: observer_vendor
observer.hostname: observer_hostname
observer.product: observer_product
observer.ingress.interface.name: observer_interface
user.name: user_name
rule.name: rule_name
rule.id: rule_id
threat.name: threat_name
threat.type: threat_type
threat.category: threat_category
threat.id: threat_id
file.name: file_name
file.hash.md5: file_md5
file.hash.sha256: file_sha256
url.full: url_full
url.domain: url_domain
Event Categories
| Product | Action | Event Category | Event Action | Event Type |
|---|---|---|---|---|
| VPN-1 & FireWall-1 | Accept | network | allowed | connection |
| VPN-1 & FireWall-1 | Drop | network | denied | denied |
| VPN-1 & FireWall-1 | Reject | network | denied | denied |
| SmartDefense | Prevent | intrusion_detection | blocked | denied |
| Anti-Virus | Prevent | malware | blocked | denied |
| Anti-Bot | Prevent | malware | blocked | denied |
| Application Control | Drop | network | denied | denied |
| URL Filtering | Drop | web | denied | denied |
| DLP | Prevent | intrusion_detection | blocked | denied |
| VPN | Accept | network | allowed | connection |
Field Mapping
| CheckPoint Field | ECS Field | Field Set |
|---|---|---|
| src | source.ip | Source |
| s_port | source.port | Source |
| dst | destination.ip | Destination |
| service | destination.port | Destination |
| proto | network.iana_number, network.transport | Network |
| service_id | network.protocol | Network |
| conn_direction | network.direction | Network |
| origin | observer.hostname | Observer |
| product | observer.product | Observer |
| ifname | observer.ingress.interface.name | Observer |
| user | user.name | User |
| rule_name | rule.name | Rule |
| rule_uid | rule.id | Rule |
| attack | threat.name, threat.type | Threat |
| malware_name | threat.name, threat.type | Threat |
| protection_name | threat.rule | Threat |
| cve | threat.id | Threat |
| url_category | threat.category | Threat |
| file_name | file.name | File |
| file_md5 | file.hash.md5 | File |
| file_sha256 | file.hash.sha256 | File |
| resource | url.full, url.domain | URL |
Notes
Input Format: JSON object với field .message chứa CheckPoint key-value pairs.
Parsing Strategy:
- Extract
.messagefield từ JSON wrapper - Parse key-value pairs với regex
key:"(?P<name>[^"]+)" - Map proto numbers: 6=tcp, 17=udp, 1=icmp
- Normalize action values: Accept→allowed, Drop/Reject→denied, Prevent→blocked
- Detect product type để set event.category phù hợp
VRL Functions Used:
to_string()- Type coercionparse_regex()- Key-value extractioncontains()- Product/feature detectiondowncase()- Lowercase conversion
Vendor Identification:
- JSON field:
"vendor": "CheckPoint" - Message format:
key:"value"|key:valuewith pipe separator
Test Results: Xem TEST_RESULTS.md cho chi tiết test cases.