Hi, thank you for your replay

- Checkpoint Version 81.20

- log sending are syslog

- logs are like: <134>1 2024-05-21T13:29:35Z Jidar CheckPoint 14762 - [action:"HTTPS Bypass"; flags:"393216"; ifdir:"inbound"; ifname:"eth0"; loguid:"{0x664ca1bf,0x12,0x296960a,0x1d08b9aa}"; origin:"10.150.150.2"; originsicname:"cn=cp_mgmt,o=jidar.ont.org"; sequencenum:"1"; time:"1716298175"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={6FD6C417-5FBC-1549-A5D1-3C30245C2AD5};mgmt=jidar;date=1715777317;policy_name=package_17022020\]"; dst:"23.47.189.163"; https_inspection_action:"Bypass"; https_inspection_rule_id:"{A7204184-CDFF-4532-A30C-50490D6296AB}"; https_inspection_rule_name:"Predefined Rule"; product:"HTTPS Inspection"; proto:"6"; s_port:"63591"; service:"443"; src:"172.16.21.174"; log_link:"

- all logs are not parsing and showed as Unknown_EventType

Can you give a few new sample events in CEF format.

Hi, I clicked by error

Here is log

<134>1 2024-05-21T15:54:11Z Jidar CheckPoint 14762 - [action:"Accept"; flags:"417028"; ifdir:"inbound"; ifname:"eth0"; logid:"0"; loguid:"{0x9a21907,0xa430b040,0xe8b082dc,0x2ffdd8d0}"; origin:"10.150.150.2"; originsicname:"cn=cp_mgmt,o=jidar.ont.orgm7kic3"; sequencenum:"6"; time:"1716306851"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={BD8249E2-5B97-8243-9A5D-2AC67F5694C2};mgmt=jidar;date=1716305572;policy_name=package_17022020\]"; dst:"192.168.3.110"; inzone:"Internal"; layer_name:"package_17022020 Security"; layer_uuid:"8a3192b4-5c30-4dd2-9d87-2678ac934224"; match_id:"49"; parent_rule:"0"; rule_action:"Accept"; rule_uid:"1f0ca9bd-c881-4295-8b4a-0f50d18644ca"; outzone:"External"; product:"VPN-1 & FireWall-1"; proto:"17"; s_port:"43578"; service:"161"; service_id:"snmp"; src:"192.168.1.148";

Hi Amir

Not sure if you pasted the wrong event.. but that was still not CEF format.

This is an example of CEF..
CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|http|Unknown|act=Accept deviceDirection=0 rt=1528095651000 spt=39108 dpt=80 cs2Label=Rule Name cs2=Implicit Cleanup layer_name=LRSK Security layer_name=LRSK Application layer_uuid=ab166dee-e955-4b8f-a5e7-6234fbaeefde layer_uuid=5549ebc0-70a4-43d1-8ec6-ca53f2306a62 match_id=42 match_id=33554431 parent_rule=0 parent_rule=0 rule_action=Accept rule_action=Accept rule_uid=f3d1c6d8-f328-4059-b471-99dc346cea78 ifname=eth6 logid=0 loguid={0x5b14e3a2,0xb,0xfbffff0a,0xc0000007} origin=1.1.1.1 originsicname=CN\=gate2,O\=pgkeeper.citadele.lrs.lt.wj6ide sequencenum=34 version=5 dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & FireWall-1 proto=6 service_id=http src=1.1.1.1

Hi

I have to do any thing when change in configuration of logs in checkpoint?

Sorry I do not have access to a Checkpoint to verify. Id suggest a TAC ticket or speak with your Checkpoint specialist.