Troubleshooting
Problem
Events that are routed through a CheckPoint Manager do not result in multiple Log Sources on QRadar.
Symptom
QRadar does not create log sources for each of the CheckPoint devices that are forwarded in the OPSEC LEA stream that is configured in CheckPoint Management Console.
Resolving The Problem
If you want CheckPoint devices routed through your CheckPoint Manager to result in multiple Log Sources that are automatically created on the QRadar side, uncheck the Use Server IP for Log Source checkbox on your CheckPoint device Log Source configuration..
To make this configuration change, follow these steps:
- Click Admin > Data Sources > Log Souces.
- Identify the relevant CheckPoint device, select it and click Edit.
- Uncheck the Use Server IP for Log Source box.
- Click Save
- On the Admin tab, click on Deploy Changes
Result: New log sources are AutoDiscovered as they are found in the OPSEC LEA stream.
-----
Where do I find more information?
If you have additional questions or some of this content is not clear, you can see the QRadar forum or contact customer support for assistance:
• Online QRadar Customer Forums
• Submit and manage your support tickets online 24x7 using IBM Service Request
• QRadar Downloads - IBM Fix Central
• IBM Security Support videos - YouTube channel
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21989609